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ABSTRACT 


The optimal defense and operation of networks against worst-case attack is an 
important problem for military analysts. We review development of existing solutions for 
the Defender-Attacker-Defender (DAD) tri-level optimization model and investigate new 
applications and solution procedures. We develop an implicit enumeration algorithm that 
incorporates addition of new defenses as an alternative solution method for the DAD 
model. Our testing demonstrates that implicit enumeration can efficiently generate all 
equivalent optimal or near-optimal solutions for DAD problems. When budgets for 
network defense or attack are uncertain, decision makers usually prioritize defenses in 
nested lists. We quantify the costs of various strategies for nesting of defenses. We design 
a parametric programming formulation of the DAD model to find nested defenses that 
have the smallest cost difference from optimal non-nested solutions. We create new 
solution procedures for the DAD constrained shortest path problem. We merge the 
attacker model with Lagrangian relaxation of the operator model into a single formulation 
that can obtain fast heuristic solutions. We combine our heuristic algorithm with 
traditional methods to obtain provably optimal or near-optimal solutions. We test our 
algorithms on medium and large networks, and our results show that our innovations can 
significantly outperform traditional nested decomposition. 
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EXECUTIVE SUMMARY 


The defender-attacker-defender (DAD) problem is a tri-level optimization model 
of the defense and operation of a system against a worst-case enemy attack. We model the 
DAD problem as a sequential game. First, the defender prepares for an attack by either 
hardening portions of a system or, in some cases, designing new additions to a system. 
Second, an attacker seeks to degrade system performance despite the defensive 
preparations. Finally, the defender of the system makes the best possible decisions to 
operate the resulting system. The solution to a DAD problem is a defense of the system to 
make it more resilient to a worst-case attack. Expression 1 is a simplified representation of 
DAD tri-level optimization model with decision variables for defense (W), attack (X) and 
operation (Y) of a system. We describe the historical development of the DAD model and 
our research develops three concepts for the DAD model. 

min max min f(W,X,Y) 

Wg'V XeZ YgT(W) 

We advance an alternative solution algorithm for the DAD model with implicit 
enumeration (IE). IE of the DAD model works by restricting and subsequently relaxing 
the defense budget of the original problem instance. IE reduces the tri-level DAD problem 
into a progression of simpler bi-level subproblems arranged in a tree structure. We expand 
enumeration theory by including the ability to design new additions to a network as 
defenses against attack. We note that IE is an alternative algorithm to obtain solutions to 
DAD problem instances because it does not use nested decomposition. 

We detennine that IE is usually slower than traditional nested decomposition to 
find an optimal solution to a DAD model. However, in problem instances where multiple 
equivalent optimal solutions exist, IE can find all of the equivalent solutions concurrently. 
Nested decomposition does not have such a capability. Furthermore, in situations where 
all solutions within a specific percentage of optimality are required, IE can generate all 
possible solutions simultaneously. We can conclude that IE is an efficient way to generate 
many equivalent solutions to a DAD minimum cost flow problem instance. 
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We investigate the implications of producing a prioritized list of defenses for a 
system when the defense or attack budget is unknown. We use the term nested defenses to 
refer to a monotonic sequence of sets, where each set of defenses for a particular budget 
scenario contains the defenses for the next smaller budget scenario. We examine how 
nested defenses differ from the optimal set of defenses for any particular defense and 
attack budget scenario for the DAD minimum cost flow problem. In particular, we 
quantify the cost of requiring a set of defenses to be monotonic. We examine various 
heuristic nesting strategies and compare their perfonnance against known optimal 
solutions. We adapt the use of vector and matrix norms as well as various decision theory 
tools to measure how a set of nested defenses differs from the set of optimal defenses. We 
define the best nested defense to be the set of defenses that is closest to the optimal set of 
non-nested defenses in terms of a vector nonn measurement over the set of unknown 
budget scenarios. We demonstrate how heuristic approaches may not produce the best set 
of nested defenses. 

In order to find the best nested defense, we develop a parametric programming 
formulation of the DAD model that allows for unknown defense or attack budgets. This 
formulation minimizes the overall system cost by considering all unknown budget 
scenarios simultaneously. Our formulation fits within the framework of stochastic 
programming. We can conclude that our parametric programming formulation can 
generate the set of nested defenses that is as close as possible to the set of optimal 
solutions over all possible budget scenarios. 

We develop a DAD model for the constrained shortest path (CSP) problem. We do 
not allow for new additions as defenses in this model. To the best of our knowledge, 
solution procedures for DAD CSP do not exist in the literature. The CSP problem is 
arduous because the additional side constraint breaks the network structure of the problem. 
Loss of network structure results in a much more difficult binary linear program to solve. 
We adapt nested decomposition techniques to solve DAD CSP instances on test networks. 
We find that the nested decomposition algorithm by itself for DAD CSP problem 
instances becomes either intractable or excessively time intensive to solve as defense and 
attack budgets increase. 
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We improve the ability to solve a DAD CSP instance by developing a Lagrangian 
relaxation heuristic. We expand known Lagrangian relaxation techniques to include 
defense and attack of the CSP problem. We develop two different alternative algorithms 
for Lagrangian relaxation of DAD CSP. One algorithm uses path enumeration techniques 
to close the gap between the bounds that are created by Lagrangian relaxation. The second 
algorithm takes advantage of the similar maximization goals of Lagrangian relaxation and 
the attacker model. We merge the attacker model and the Lagrangian relaxation operator 
model into a single model. Both algorithms find a fast heuristic solution to DAD CSP. 

We combine our heuristics with nested decomposition in order to reduce the time 
required to solve a DAD CSP instance optimally. Our heuristic algorithms cannot be 
guaranteed to give an optimal solution, but they can provide information to accelerate 
nested decomposition. We use output from our heuristic algorithms as starting values for 
nested decomposition. Our combined algorithms are significantly faster than regular 
nested decomposition to find an optimal or near optimal solution to a DAD CSP instance. 

We compare results for our combined algorithms against regular nested 
decomposition for DAD CSP on a randomly generated 50 node grid network as well as a 
large road network of the Washington, DC, area. Except for a few test cases, our 
combined algorithm is able to find the known optimal solution much faster than regular 
nested decomposition on the grid network. In some instances, we observe that our 
combined algorithm can be more than four times faster than regular nested decomposition 
in finding the optimal solution on the grid network. The road network shows that our 
DAD CSP algorithms can only scale to large problem sizes with approximately optimal 
solutions. In order to obtain a solution to a DAD CSP instance on the road network in less 
than 24 hours, we allow for solutions that are proven to be within 10% of optimality. Our 
combined algorithm is able to find an approximately optimal solution faster than regular 
nested decomposition in 19 of 25 budget scenarios on the real-world road network. In the 
best case, our combined algorithm can be 66 times faster than regular nested 
decomposition for DAD CSP on the road network. We conclude that our combined 
algorithms represent a significant improvement in the ability to solve DAD CSP instances. 
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I. 


DEFENDER-ATTACKER-DEFENDER MODEL 


A. PROBLEM DEFINITION 

This dissertation investigates applications and solutions of defender-attacker- 
defender (DAD) tri-level models to a variety of system optimization problems. Our goals 
are to expand existing knowledge about the problem structure and improve solution 
procedures for it. Alderson, Brown, Carlyle, and Wood (2011) define a DAD system 
optimization problem as a tri-level optimization model that models the optimal defense 
and operation of a friendly system against a worst-case enemy attack We model a DAD 
problem as a sequential game in which the decisions are made in a predetermined 
sequence: the defender, then the attacker and finally the defender (or operator) (Brown et 
ah, 2005). First, the defender of a system optimally prepares for a worst-case enemy 
attack by designing new additions to, or redesigning some parts of, a network or 
infrastructure system. Second, an enemy attacker seeks to optimally degrade the overall 
performance of the system despite all defensive preparations that have been made. 
Finally, the defender (or operator) of the system makes the best possible decisions to 
operate the resulting system optimally. The system defender and operator could be 
synonymous or they could be different entities with similar interests. The solution to a 
DAD problem is a defense or redesign of the system to make it more resilient to a set of 
possible attacks by explicitly considering the system’s response to each attack. Alderson, 
Brown and Carlyle (2014) define the “operational resilience” of a system is dependent 
upon its set of responses and the corresponding total costs to defenses and attacks. 

The DAD model can be formulated for any operator model, to include linear, non¬ 
linear, integer and binary programs. A common application for the DAD model is a 
network flow problem. As an example, we formally define the tri-level DAD 
optimization model in the context of a minimum cost network flow problem. We define a 
network G = (N,A) with supplies of resources at source nodes, demands for resources at 
destination nodes, and arcs with per unit transportation costs (cq) and maximum flow 
capacities (u;j). The classical minimum cost flow problem moves all resources from 

sources to destinations at the lowest cost. The amount of resources that flow on arcs is 
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governed by non-negative integer variables (Y). This is the simplest version of the 
operator problem (1.1a). If an attacker can add a penalty (q;j) to some arcs so that the 
adjusted cost of an attacked arc (X) becomes Cy + q,,, we obtain the attacker problem 
(1.1b). If we allow a defender the ability to protect a number of arcs from an attack (W), 
we obtain the defender problem (1.1c). Expressions (l.la)-(l.lc) all have blocks of 
constraints that govern the employment of defenses ( V P), attacks (S) and operation of 
flows subject to a particular defense (Y(W)). These blocks of constraints are detailed in 
later sections of this chapter. 


imn/(T) 
max min f(X,Y) 

XgE reT J 

min max min f(W,X,Y ) 

xes. YeY(W) 


(1.1a) 

(1.1b) 

(1.1c) 


Expression (1.1c) is a DAD model for minimum cost flow and it may be solved 
with a nested decomposition algorithm. Israeli uses the term nested decomposition to 
decompose a tri-level optimization problem to simpler single and bi-level sub problems. 
(1999). The key insight of nested decomposition is that the inner stage of decomposition 
functions as a sub-problem for an outer stage of decomposition. If we employ 
decomposition to solve (1.1c), and use the defenses (W) as the outer decomposition 
master problem variables, the resulting sub problem is a two-stage model along the lines 
of (1.1b), which itself can be solved using decomposition. In a nested decomposition 
approach, the values of some variables are held constant while the remaining variables 
are optimized. We define the hat symbol ( A ) to denote the holding of a decision variable 
to a fixed value during various stages of decomposition. 

B. HISTORICAL BACKGROUND 

The composition of the DAD problem involves three levels of optimization, and 
can best be described by considering each part of the tri-level optimization sequentially 
(Alderson et al., 2014). The innennost level of optimization only involves the operation 
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of the system as originally designed, under fixed values of defenses (W) and attacks (X). 
The optimal operation of a system is referred to as the operator model presented as (1.2a). 
This model could be a network flow problem, but DAD models can include any model of 
an infrastructure system as the innermost model. Existing operations research and 
engineering literature abounds with operator models of various infrastructure systems. 
Ford and Fulkerson (1962) originally considered operator models in the context of 
maximizing the amount of goods moved from a source to a receiver. 


min f(W,X,Y ) 

FEYor 


(1.2a) 


The second level of optimization in a DAD model involves the attacker, who 
wants to optimally choose the best set of attacks, under a fixed value of defenses (W). 
The goal of the attacker is to maximize the disruption to the operator of the system. 
Wollmer (1964) considered removing edges in a network in order to disrupt and reduce 
the amount of flow. The attacker model is shown in (1.2b) and is also referred to as the 
attacker-defender (AD) problem. 


max min f(W,X,Y ) 

XeE YeY(w) (F2b) 

The problem of optimal attack and subsequent operation of a system is usually 
formulated as a bi-level optimization problem. The first known application of this 
problem comes from declassified research of Harris and Ross (1955). The authors studied 
the least costly methods to block the flows of a railway network moving war supplies 
from the Soviet Union into Europe with a finite number of attacks. Some other examples 
of the kinds of infrastructure systems that can be studied with DAD problem modeling 
include, but are not limited to, a road and highway network with a flow of traffic 
(Feblanc, 1975) or an energy distribution system with flows of gas or electricity (Brown 
et ah, 2005). 

McMasters and Mustin (1970) devised one of the first algorithms to solve (1.2b) 
for the optimal attack or interdiction of a supply network. When applied to network flow 
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problems, the attacker model of (1.2b) is also historically referred to as the network 
interdiction problem (Golden, 1978). There are at least three predominant methods for 
solving an AD problem. The decomposition method of Benders’ (1962) examines one set 
of variables in a sub-problem and the other set of variables in a master problem. 
Fulkerson and Harding (1977) showed how to apply duality theory to transform the 
attacker model into a single level of optimization. A third solution method is implicit 
enumeration (IE) of all attack strategies (Scaparra & Church, 2008). We utilize all of 
these approaches in our research. 

The network interdiction problem is a computationally difficult problem. The 
computational complexity of (1.2b) has been proven to be in the class of NP-Hard 
problems (Hansen, Jaumard and Savard, 1992). Wood (1993) showed that the network 
interdiction problem is NP-Complete. 

The problem of optimal allocation of defense resources against an attacker in a bi¬ 
level defender-attacker (DA) optimization model has been in existence since the 1960s. 
Pugh (1964) considered the optimal deployment of Intercontinental Ballistic Missile 
(ICBM) defenses against an adversary designing a nuclear attack. Pugh’s (1964) 
fundamental insights of the goals of the defender and the attacker are still relevant today: 

It usually must be assumed that a prospective attacker will utilize 
knowledge of the defense deployment in designing an attack. Hence the 
defense problem is not to minimize damage resulting from a specific 
attack, but to choose that allocation of defense resources that will give best 
protection when an attack is optimized against whatever defenses are 
chosen, (p. 543) 

The shortcoming of the bi-level DA model for applications that we consider is 
that it only models actions of the defender (W) and the attacker (X). The subsequent 
reaction of the operator of the system (Y) after the defenses and attacks are not explicitly 
optimized in the bi-level DA model. The DA model is shown in (1.2c). 

min max f(W,X) 

(l.2c) 
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The order of the max and min operators in the problem formulation determines 
the structure of the problem, since the entity that wishes to maximize damage to the 
system is separate and distinct from the entity that wants to operate and/or defend the 
system. Danskin (1967) showed the placement of the operators in the bi-level 
optimization problem fonnulation is essential, since a max-min problem is not 
equivalent, in general, to a min-max problem. The standard result is in Equation (1.2d). 

max min f(W, X, Y) < min max f(W, X, Y). (1.2d) 

An AD model is a sequential two-person zero-sum game (Washburn & Wood, 
1995). In the worst case, an attacking enemy will have perfect knowledge of all defenses 
prior to commencing an attack. Implicit in this assumption is the game theoretic notion of 
perfect information, that both the attacker and the defender know all of the relevant 
information about the capabilities of themselves and their adversary (Owen, 1995). It is 
also assumed that both the attacker and defender are rational and will select the best 
strategies to optimize their objectives (Owen, 1995). It is possible that attackers may not 
always behave rationally and choose the optimal worst-case attack (Smith et ah, 2007). 
However, the assumption of rationality is always conservative in the zero-sum case. 

Early attempts at solving the DAD problem focused on reducing the tri-level 
model to a bi-level model. Wood (1993) showed the dual of the inner operator problem 
can be exploited when modeled with continuous variables. The linear programming dual 
of the inner operator problem is a maximization that coincides with the maximization of 
the attacker model. Thus, the tri-level DAD problem can be transformed to a bi-level 
problem. The DAD problem becomes a DA model in (1.2e) with operator model dual 
variables for nodes ( n ) and arcs (a). 

min max f(W,X,x,a) 

lVeVX,.,aeS ( L2e ) 

Expression (1,2e) is a challenging bi-level mixed integer program, since both the 
minimization variables (W) and the maximization variables (X) are discrete. Morton, Pan 
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and Saeger highlight the difficulty of (1.2e) by stating, “The problem is formulated with a 
nested ‘min-max’ structure, which is not amenable to solution through standard 
optimization algorithms” (2007, p. 6). A shortcoming of reducing the DAD problem to a 
bi-level model is that such a transformation is only possible when the inner operator 
model of (1.2a) has all continuous variables. If the operator model does not contain 
continuous variables, then the bi-level reduction of the DAD problem of (1.2e) cannot be 
performed. Chapters II and III will take advantage of the simplification of the DAD 
model in (1.2e). We also consider a DAD model where the reformulation in (1.2e) cannot 
be performed in Chapter IV. 

Tri-level optimization for the defense, interdiction and operation of systems have 
appeared in research as early as Israeli (1999). Israeli and Wood briefly mention the 
“system defense problem” of hardening systems against attack where “the network user 
interdicts the interdictor” with a nested decomposition scheme, but further details are not 
provided (2002, p. 111). As recently as ten years ago, real-world instances of tri-level 
DAD models were considered extremely difficult to solve (Brown, Carlyle, Sahneron and 
Wood, 2005). Scaparra and Church declared, “To the best of the authors’ knowledge, no 
efficient algorithms have been proposed to deal with three stage [defender-attacker- 
defender] problems” (2008, p. 1906). However, advances in computing power and 
modeling techniques allow larger tri-level DAD problems to be solved in a reasonable 
amount of time. The tri-level model incorporates everything from the bi-level model, 
along with the addition of a distinct action for the defender of the system in anticipation 
of an attack. The defender chooses a defense option subject to a set of constraints that 
either expand the system by constructing additional new edges or harden the system by 
reducing the impact of an enemy attack against an edge. The defender model of (1.1c) is 
restated as (1.2f), and is also known as the DAD problem (Alderson et al., 2011). 

min max min f(W,X,Y ) 

0'e'T XeE Y eT(w} 2f) 

Israeli observed that (1.2f) is “NP-Hard and not known to be in NP” (1999, p. 61). 
Expression (1.2f) incorporates the network interdiction problem of (1.2b) as a special 
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case when there are zero defenses. Evaluation of any feasible defense requires the 
solution of an NP-Hard interdiction problem to compute an objective function value. 

Algorithms to find optimal solutions to the defender model of (1.2f) as a tri-level 
optimization model were conjectured by Israeli (1999), but not implemented. Successful 
implementations of tri-level DAD algorithms are a recent development (Alderson et al., 
2011 & 2014). Instances of an original Soviet Union railway problem from Harris and 
Ross (1955) have been solved using tri-level optimization by Alderson, Brown, Carlyle 
and Cox (2013). Tri-level optimization has also been applied to a fuel distribution 
network (Alderson et al., 2015). We use the fuel distribution network from these authors 
paper to test and validate some of our research results in Chapters I—III. 

C. DAD NESTED DECOMPOSITION ALGORITHMS 

As a starting point, we implement decomposition algorithms based on Alderson et 
al. (2011 & 2014) of a particular tri-level DAD problem instance using the General 
Algebraic Modeling Software (GAMS) version 24.5 with the IBM CPLEX solver. The 
DAD decomposition algorithms we implemented are similar to those employed by 
Benders (1962) with one key difference. Benders (1962) decomposition uses continuous 
variables in the sub problem and discrete variables in the master problem. Our 
decomposition procedure features binary defense variables (W), binary attack variables 
(X) and integer flow variables (Y). The differences in variable types require 
modifications to traditional decomposition techniques. We present the formulation of a 
DAD minimum cost flow problem and our implementation of decomposition in this 
section as an example of DAD nested decomposition. The nested decomposition 
algorithms discussed here follow the structure of Alderson et al. (2011 & 2014). 

1. DAD Minimum Cost Flow Model Formulation 

Alderson et al. (2014 & 2015) present a DAD model for defending, attacking and 
operating a minimum cost network flow model. We formulate the DAD minimum cost 
flow problem in order to explain the inner workings of nested decomposition. We use this 
notation as a common lexicon in Chapters I—III. Chapter IV has minor changes to this 

notation, as a different DAD problem is considered. 
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Sets: 


n e N 

Nodes of the network (Note: i and j are used as aliases for n). 

(Uj)eE 

Undirected edges of the network. 

(i,j)eA 

Directed arcs of the network. 

d sD 

Defense options available for undirected edges (i, j). 

(Note: do represents option of no defenses.) 

k e K 

Iterations of inner decomposition. 

h'eK' 

Iterations of outer decomposition. 


Data: 


Vijd 

Pn 


demand n 
attack _budget 
defense _ budget 


Cost to move one unit of flow on arc (i, j) under defense plan d. 
Maximum capacity of undirected edge (i, j) under defense plan d. 
Per unit penalty cost to use attacked arc (i, j) with defense plan d. 
Per unit penalty cost for not satisfying demand at node n. 

Cost to attack undirected edge (i, j). 

Cost to protect or build undirected edge (i, j) under defense plan d. 
Resources at node n. (positive is supply, negative is demand) 
Maximum number attacks the attacker can afford. 

Maximum number of defenses the defender can afford. 


Decision Variables (units): 


S n Amount of unfulfdled demand (shortage) at node n. (Units: items, etc.) 

S nk , Unfulfdled demand at node n during outer decomposition iteration k’. 

W jd Binary; 1 if edge (i, j) chooses defense option d, 0 otherwise. (Unit less) 

Xj Binary; 1 if edge (i, j) is attacked, 0 otherwise. (Unit less) 

Y iJd Amount of flow on arc (i, j) with defense d. (units: barrels, items, etc.) 

Y )jdk . Flow on arc (i, j) with defense d during outer decomposition iteration k’. 

n Dual variable associated with each network node n. 

n 

a ijd Dual variable associated with each network arc (i, j) under defense plan d. 

Z AD Objective function value of inner decomposition 

Z DAD Outer decomposition objective function value 


Additional Notation: 

W ijd Fixed value 1 if arc (i, j) has defense option d assigned; 0 otherwise. 
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Xj Fixed value 1 if edge (i, j) is assigned to be attacked; 0 otherwise. 

X ijk , Fixed value 1 if edge (i, j) is attacked in outer iteration k’; 0 otherwise. 

Y ijdk Fixed amount of flow assigned to arc (i, j) with defense d in iteration k. 

S nk Fixed amount of unfulfilled demand assigned to node n in iteration k. 


Formulation: 



min max min £ £ [c ijd + (q • X tj )) • Y ijd 

W >i“ X ‘J Sn> Y ijd d G D (i,j)sE ' ' 

+ ( C jid + [fljid • X ij )) • Y jid + X S „ ‘ Pn > 

neN 

(1.3a) 

Subject To: 



X X Y njd “XX Y ind ~ S n- demand n 

d&D (n,j)e.A dsD (i,n)&A 

V« e N, 

(1.3b) 

Y ijd + Y jid — U ijd ' W ijd 

V(i,j)eE,d e£>, 

(1.3c) 

'y'] Tj -Xy < attack_budget, 


(1.3d) 

X X h ijd -Wj d < defense_budget, 

deD: ( i,j)eE 
d*d 0 


(1.3e) 

IX = i 

deD 

V(/,y) e E, 

(1.3f) 

o 

Al 

•o 

V(f,y) e A,d eh, 

(l-3g) 

s„:>o 

Vn e N, 

(1.3h) 

X, E {0,1} 

V(/,y)eE, 

( 1 -3i) 

W iid e {0,1} 

V(/,y) e E,d e D. 

(l-3j) 


The objective function (1.3a) expresses the three levels of optimization. The 

innennost minimization operator seeks to minimize the cost of flows (Y) and shortages 

(S) on the network after defenses and attacks are fixed. The middle maximization 

operator has the objective of maximizing the cost of the resulting optimal flow, by 

attacking arcs for a given defense plan. The outer minimization operator chooses the 

optimal defense (W) to minimize the worst-case cost over all attacks. Equation (1.3b) 

represent balance of flow equations for each node in the network, with an elastic variable 

compensating for unfulfilled demand. Equations (1.3c) are bi-directional (i.e., shared) 

capacity constraints for each edge in the network, forcing total flow on an edge to be less 

than the maximum capacity (u) for the edge under a particular defense option (d). 

Equation (1.3 d) is a budget constraint on the attacker to ensure that the attacker can only 
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attack as many edges as he or she can afford. Equation (1.3e) is a budget constraint on the 
defender which ensures the amount of network expansion or hardening stays within a 
budget. Equation (1.3f) ensures each edge of the network can only have one defense 
option chosen. Equations (1.3g) - (1.3j) enforce variable types. 

At a minimum, we have two possible defense choices for each arc. Defense 
choices in our application either leave an arc undefended (do) or choose to defend an arc 
(di). Our development of DAD CSP is based on two defense choices. However, our 
formulation can support more than two defense choices. 

We can now define the constraint sets from the previous section in the context of 
the DAD minimum cost flow problem. The operator model constraint set (T (W)) 
consists of Equations (1.3b), (1.3c), (1.3g), and (1.3h). The attacker model constraint set 
(S) consists of Equations (1.3d) and (1.3i). The defender model constraint set (T*) 
consists of Equations (1.3e), (1.3f), and (1.3j). Although Equation (1.3c) contains defense 
variables (W), we consider it to define the feasible region of the path variables (Y), and 
not to place any restrictions on the defense variables (W) themselves. Since the defender 
chooses the defense variables (W) before the path variables (Y) are determined, the 
operator model is feasible for any feasible values of the defense variables (W) in the 
defender model. 

2. AD Inner Decomposition 

The structure of the inner decomposition is a bi-level maxi-min AD optimization 
problem. The inner decomposition fixes the values of the defense variables (W), resulting 
in an AD inner decomposition problem in the form of (1.2b). 

AD Inner Decomposition Problem Formulation: 


max min ^ £ (c ijd +L Jd -( 

X ‘j dsD(i,j)sAy V v 

Subject to: 


J)k,+£VA„ 

' ' A n<=N 

(1.4a) 

£ £ X* -£ £ Y,„ - S. 

deD (n,j)GA deD (i,n)eA 

< demand n 

\/n e N 9 

(1.4b) 

Y ijd + Y jid - u ijd • w ijd 


V(i,j)eE,d eD, 

(1.4c) 
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^ r ■ X j < attack _ budget. 


(1.4d) 




o 

Al 

V(/,y) e A, d e D, 

(1.4e) 

s„>o 

\/n e N, 

(l-4f) 

X] e {0,1} 

V(z,./) e E. 

(l-4g) 


Expression (1.4a) maximizes the minimum cost of flow over the network. 
Equation (1.4b) is identical to the balance of flow Equations (1.3b). Equation (1.4c) is 
similar to Equation (1.3c) except the defense option is fixed in the inner decomposition. 
Equations (4d-4g) are carried over from the previous formulation. 

The inner AD sub-problem has a maxi-min structure that can be solved with two 
different approaches. The first approach is a decomposition of the primal problem. The 
second approach takes advantage of continuous flow variables (Y) to fonnulate a dual 
integer linear program (ILP) with a single level of optimization. The dual problem has a 
maxi-max structure which replaces the inner stage of decomposition. Either approach to 
the inner AD problem will function as a sub-problem for the outer decomposition. 

Solution elimination constraints (SEC) appear in both of the following approaches 
because it is possible that the inner decomposition can produce an attack that has been 
attempted previously (Alderson et ah, 2014). If the repeated attack solution is utilized 
again in the outer decomposition, there is a possibility that the outer decomposition could 
cycle endlessly between previously found defense solutions. The SEC function as anti¬ 
cycling constraints for the outer decomposition. SEC are only activated in a 
decomposition iteration if the attack found in the current iteration was also found in a 
previous iteration. Otherwise, the SEC is not included in an iteration. Activation of the 
SEC in an outer decomposition iteration forces the outer decomposition master problem 
to produce a new and different solution that breaks the cycling of the outer decomposition 
(Alderson et ah, 2011). 

a. AD Primal Decomposition Formulation 

The maxi-min linear decomposition of the AD inner problem can be modeled by 
introducing new decision variables as described in Rardin (1998, pp. 159-160). The AD 
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primal inner subproblem represents the operator model, where the defender seeks to 
minimize the cost of moving resources from sources to destinations in a network with 
fixed defenses (W) and attacks (X). 


AD Minimum Cost Flow Primal Inner Subproblem Formulation: 


min 


s„x 




iid 0 J)gA 


d&D (n,j)eA 


c ij d +1 l li,.i ' x a 


deD (i ,n)eA 


+ X ; 


></ 


‘>J ' J J 


Y ljd +Y jid <u ljd -W lJd 

Yj d > 0 
S. >0 


■Y ijd +Yj S n ' Pn > 

(1.5a) 

neN 


r „ VneX, 

(1.5b) 

V(i,y) e E,d e D, 

(1.5c) 

V(z, /') (E A, d e D, 

(1.5d) 

\/n e N. 

(1.5e) 


Expression (1.5a) is the operator objective, which is to minimize the cost of 
moving resources from source to destination in the network after defenses and attacks 
have occurred. Equation (1.5b)-(1.5e) restate their respective constraints from system of 
Equations (1.4). The set K represents iterations over an inner AD model. The result of 
each iteration of the AD primal inner sub problem is a lower bound on the inner 
decomposition. Each time the objective function is better than the existing lower bound, 
the bound is updated. 

The AD primal inner master problem represents the attacker problem, where the 
attacker has a fixed budget to damage or degrade the network in order to maximize the 
cost of moving resources from sources to destinations. In the AD primal inner master 
problem, the values of the flows (Y) and shortages (S) are fixed values input from the 
primal inner sub problem. 

AD Minimum Cost Flow Primal Inner Master Problem Formulation: 
max Z 4D , (1.51) 

XijXad 

{pijd + dijd ' X ij ) ‘ Yydk + ( C jid + djid ' X ij ) ' Y jidk + ZkrP, dkzK, (1.5g) 

d^D (i,j)cE neN 

^ r ■ Xj < attack_budget, 

UJ)cE 

X.. £{0,1} V(/J)e£, 
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(1.5h) 
(1 -5i) 



Mk'eK. 


X x„ + x (i-*„)*> 

UJ)eE: (i,j)eE: 


(l-5j) 


Expressions (1.5f) and (1.5g) work together to create the objective of maximizing 
the cost of flow through the network through the choice of attacks. Equation (1.5g) 
represents the restriction of the problem through “cuts” of the feasible region performed 
by the choice of attack variables (X) in each iteration (k) of inner decomposition. 
Equations (1.5h) and (1.5i) restate Equations (1.3d) and (1.3i). 

The AD master problem produces an upper bound on the inner decomposition. 
During iterations that improve the upper bound, the attack associated with that iteration is 
saved as the best known attack (X*). When the inner decomposition completes because 
either the inner lower and upper bounds converge or the number of iterations (k) has been 
reached, then the best known attack (X*) is given as an input to the DAD outer 
decomposition master problem. 

Equation (1.5j) is the SEC for the outer decomposition. When the inner 
decomposition produces a best attack (X*) that is the same as a best attack from a 
previous outer iteration (k’), then there is a potential for cycling of the outer 
decomposition. In order to prevent cycling, the SEC of Equation (1.5j) is temporarily 
activated in the inner decomposition to ensure that an alternate best attack (X*) is 
produced that has never been produced in a previous outer iteration (k’). 

b. AD Dual ILP Formulation 

In order to eliminate inner iterations, we can alternatively formulate the AD dual 
ILP problem by taking the dual of the innermost minimization sub problem. The dual 
problem exists only when the network structure of the problem allows the flow variables 
(Y) to be treated as continuous variables. From the primal fonnulation, we note that 
Equation (1.3b) has dual variable [-7t n ] which represents each node and Equation (1.3c) 
has dual variable [-aijd] which represents each edge. We introduce both the dual variable 
for the node equations and the edge equations as negative values for convenience. 
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AD Minimum Cost Flow Dual ILP Formulation: 


max - £ demand n • n n - £ £ u ijd 

X lj ,a tjd ’ K n „ eJV deD(i,j)xE 

Subject to: 

' a jd ^d. 

(1.6a) 

-*i + n i ~ a m |,, - a M Lj ~ c m + ($W 


(1.6b) 

n n ~ Pn 

Mn € N, 

(1.6c) 

^ r -Xy < attack _ budget. 


(1.6d) 

o 

Al 

i 

V(i \,j)eE,d e D, 

(1.6e) 

-n n > 0 

Mn e N, 

(1.6f) 

Xj e {0,1} 

V(?,y) e E, 

(l-6g) 

X x „+ X (l-V ; )al 

U,j)cE: </./>• 

X,,f=0 x m .=\ 

Vk'tK. 

(1.6h) 


Expression (1.6a) is the dual objective function, which seeks to maximize the cost 
flow for an attack based on a given defense strategy. Equation (1.6b) is the dual for each 
node, which occurs over the set of all arcs and defense strategies. Equation (1.6b) has 
variables with set restrictions because of the relationship between the decision variables 
and the undirected edge set (E) vs. the directed arc set (A). Note that the node dual 
variables (jt n ) exist for all nodes, and the edge dual variables (ap) exist over the set of all 
edges (E) and defense options (D). However, the edge dual variables do not exist over the 
set of all directed arcs A. Equation (1.6c) is associated with shortages at each node, which 
effectively places an upper limit on the node dual variables. Equation (1.6d) restates 
Equation (1.3d). The dual decision variables have non-negativity restrictions in Equations 
(1.6e) and (1.6f) because the dual variables are introduced with negative values. Equation 
(1.6g) ensures attack variables are binary values. Equation (1.6h) is a SEC that is 
activated as necessary to prevent cycling in the outer master problem as described in the 
explanation of Equation (1.5j). The output of the AD dual ILP is an attack (X) that is 
input to the outer decomposition. 

3. DAD Outer Decomposition 

The outer decomposition master problem takes the best known attack (X*) from 
either version of the inner AD problem as input to the DAD outer master problem. Each 
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outer decomposition iteration (k’) detennines the best choice of defenses (W) in response 
to the attacks (X) that it has observed so far. Furthermore, each outer decomposition 
iteration (k’) must also detennine the best combination of flow variables (Y) in 
conjunction with the defense variables (W). 

DAD Minimum Cost Flow Outer Master Problem Formulation: 

w min Z DAD , (1.7a) 

W ijd > r ijdk '^nk' 

Subject to: 

Z DAD — EE {fijd + Vijcl ' ^ijk^ijdk' + {cjid + 7 jid ‘ ^ijk' ) Y jidk' + 'Ls„-p,Vk'eK, (1.7b) 


d&D (i,j)eE nsN 

X X Y n,dr “X X Y indv-Snr ^ demand n VneN,k'eK, (1.7c) 

deD {n,j)&A d&D (\,n)&A 

V + Y m' ^ % • W m W’J) eE,deD,k'eK, (1.7d) 

S nk , >0 \/n e N,k' e K, (1.7e) 

Y jdk ,> 0 V(i,j)zA,dzD,k'zK, (1.7f) 

^e{0,l} V(i \J)eE,deD. (1.7g) 


Expressions (1.7a) and (1.7b) work together to create the objective of minimizing 
the cost of flow through the network based on fixed values of attacks (X) obtained from 
the inner AD problem. Equation (1.7b) represents the restriction of the outer DAD 
problem through cuts of the feasible region performed by the choice of defense (W), flow 
(Y) and shortage (S) variables in each iteration (k’) of outer decomposition. Equation 
(1.7c) expands Equation (1.3b) to include flow (Y) and shortage (S) variables for each 
round of outer decomposition (k’). Equation (1.7d) ensures the flow (Y) variables do not 
exceed their maximum capacity for an edge for every iteration of outer decomposition 
(k’). Equations (1.7e)—(1.7g) enforce variable types. 

The output of the DAD outer master problem is a set of defense variables and an 
objective function value. The outer master problem updates the outer decomposition 
lower bound when the objective function value is greater than all previous outer iteration 
values. Whenever the outer lower bound is updated, the defense associated with that 
outer iteration (k’) is retained as the best known defense (W*). When the outer upper and 
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lower bounds match, the outer decomposition is completed and the best known defense 
(W*) is the optimal defense for the original DAD problem instance. 


D. EXAMPLE APPLICATION OF DAD PROBLEM 

Our test network for DAD minimum cost flow models is a 16 node fuel 
transportation network depicted in Figure 1 from Alderson, Brown and Carlyle (2015). In 
Figure 1, the black nodes represent supply nodes with 10 units of fuel each, and the white 
nodes represent demand nodes with a demand of one unit of fuel each. Each edge 
between the nodes has a cost of one unit for each unit of fuel that traverses the edge. A 
double solid line represents system redundancy with two edges connecting a pair of 
nodes. If an edge is defended, it is invulnerable to attack. Defending a solid line edge has 
a defense cost of one unit. Dashed lines represent edges that can be built as defenses with 
a defense cost of two units. We assume that new edges cannot be attacked. 



Figure 1. Test Network for DAD Models. Adapted from Alderson et al. (2015). 

Different problem instances of the DAD tri-level optimization model are 
considered by varying both the defender and attacker budgets from zero to five units 
each, resulting in 36 different problem instances. Both decomposition methods were 
calculated using GAMS software version 24.5 with the CPLEX solver on a computer 
with Microsoft Windows 7, a 3.2 GHz processor and 8 GB of RAM. We can solve 36 
instances of the DAD problem on the test network using nested decomposition in roughly 
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60 minutes. We can solve the same 36 instances using the dual ILP and decomposition in 
roughly 8 minutes. For this test case, the difference in solution speed is dramatic, with the 
dual ILP and decomposition method clearly superior. 

For the 36 problem instances, both implementations of the DAD decomposition 
produced the same objective function values as Alderson et al. (2015). In some cases, 
more than one combination of defenses and/or attacks can produce the same optimal 
solution value. Table 1 shows a portion of the results for the DAD decomposition applied 
to the network of Figure 2 for varying attack strategies when the defense budget is fixed 
at four units. Table 2 takes the opposite view of supposing that the defender has 
intelligence that the attacker budget is fixed at four units, and there is a varying defense 
budget available. Edges not appearing in Tables 1 and 2 have no recommendations for 
attack or defense. Green colored cells indicate defensive action and red colored cells 
indicate attack action in Tables 1 and 2. 


Table 1. Test Network Solution with Fixed Defense Budget of Four Units 


Defense Budget^ 4 
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Table 2. Test Network Solution with Fixed Attack Budget of Four Units 



E. SUMMARY OF CONTRIBUTIONS 

The existing literature defines the basics of the DAD problem applied to 
infrastructure systems, but there are many unexplored topics associated with this 
problem. Literature provides formulations only for minimum cost flows and shortest 
paths. Literature also provides a nested decomposition approach with SEC to obtain an 
optimal solution to a DAD problem instance. This dissertation seeks to expand 
knowledge of DAD problems beyond the one solution approach. We address three 
interesting areas of the DAD problem that have not been developed in existing literature. 

1. Efficient Enumeration Algorithms for the DAD Model 

Chapter II explores the ability to generate multiple optimal solutions and near 
optimal solutions to a DAD minimum cost flow problem instance. The knowledge that 
equivalent optimal solutions exist can be useful information to a decision maker. For 
example, if an analyst has a defense budget of three units to defend a system against a 
worst-case attack, it could be helpful to know if there is only one possible optimal 
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defense or more than one equivalent optimal defenses. Many equivalent optimal solutions 
can present a range of equally good choices to defend a system. Similarly, a decision 
maker may want to know all of the defense options that are within a small fixed 
percentage of the optimal solution. Decision makers could then use a range of options to 
help weigh other factors to the system that cannot be modeled, but are still important to 
consider. In the real world, some defenses that appear to be equal on paper may have 
other considerations that make one set of defenses preferable to another set of defenses, 
even though they both produce the same objective function value. Traditionally, finding 
many optimal and near optimal solutions would require resolving the DAD problem for 
each additional solution that is desired. We design an algorithm that can find all of the 
optimal and near optimal solutions to a DAD minimum cost flow problem efficiently. 

Chapter II harnesses the theory of implicit enumeration (IE) to efficiently 
generate all equivalent optimal solutions. IE can also find all near optimal solutions for 
any specified solution tolerance. Implicit enumeration works by restricting and 
subsequently relaxing the defense budget of the original problem instance. IE reduces the 
tri-level DAD problem into a group of simpler bi-level AD sub problems arranged in a 
tree structure in order to systematically build solutions. IE avoids the possibility of listing 
every possible solution by rejecting combinations of defenses and attacks that could not 
lead to an optimal or near optimal solution. The original application of IE to DAD 
optimization problems was developed by Scaparra and Church (2008). These authors 
present the use of IE in the context of defending and attacking the placement of 
warehouse facilities. Our contribution is to adapt, generalize and expand on known IE 
theory and apply it to the tri-level DAD minimum cost flow problem. 

2. Impact of Nested Defenses on Optimality 

Chapter III investigates system defense planning under uncertain budget 
scenarios, and how that uncertainty impacts optimality. It may be possible that a system 
analyst may not be certain about the budget for his or her defenses, the attack budget of 
the adversary, or both. When faced with budget uncertainty, the analyst may produce a 
list of prioritized defenses for the system. The prioritized list would include the best 
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defense, second best defense, third best defense, and so on. A prioritized list becomes a 
set of nested defenses to be chosen when the budget scenario becomes known. We use the 
term nested to refer to a monotonic sequence of sets, where each set of defenses for a 
particular budget scenario contains the set of defenses for the next smaller budget 
scenario. The use of nested defenses is attractive to decision makers because it simplifies 
the complex analysis of choosing the best defenses under uncertain budgetary scenarios 
into a single list. 

The set of nested defenses almost always is not the same as the set of optimal 
defenses for any particular defense and attack budget. It is clear in existing literature that 
the best defenses chosen for a defense budget of two units is usually not a subset of the 
defenses chosen for a defense budget of three units, and so on. An example is shown in 
Figure 2 from Alderson et al. (2015). Figure 2 shows that if the defense budget is known, 
but the attack budget is unknown for the fuel network, then the elements of an optimal 
defense change. In Figure 2, the panels labeled (b) to (e) show that even when the defense 
budget is unchanged at four units, each change in the attack budget from two to five units 
results in a different set of optimal defense elements chosen and a different set of worst- 
case attacks. The optimal defenses for the network are shown as blue edge lines, and the 
worst-case attacks are shown as small explosions on edges. A similar effect exists when 
the defense budget is unknown and the attack budget is known. 



Figure 2. Optimal Defenses Change as the Attack Budget Changes. Source: 

Alderson et al. (2015). 


Chapter III uses the same network as Alderson et al. (2015) to investigate the 
effects of nested defenses. We examine how nested defenses differs from the optimal 
solution for any particular defense and attack budget scenario and, in particular, we 
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quantify the “cost” of requiring a set of defense plans to be monotonic. A gap exists in 
current literature for how to address the situation when both defense and attack budgets 
are uncertain, and we propose a strategy for that situation. We examine various heuristic 
nesting strategies and compare their performance against the known optimal solutions. In 
order to find the best possible nested defense, we develop a new parametric programming 
formulation of the DAD minimum cost flow problem that accepts uncertainty in the 
defense and attack budgets. This new formulation generates a nested defense that is as 
close as possible to the set of optimal non-nested solutions. 

3. Incorporating Heuristics to Speed Up DAD Solution Algorithms 

Chapter IV develops a DAD model for the constrained shortest path (CSP) 
problem. To the best of our knowledge, solution procedures for the DAD CSP problem 
do not exist in the literature. The challenge associated with the CSP problem is that the 
side constraint placed on a shortest path problem breaks the network structure of the 
problem. Loss of the network structure of the problem results in a much more difficult 
binary program because the path variables (Y) cannot be treated as continuous. First, we 
formulate and solve instances of the DAD CSP by adapting existing DAD nested 
decomposition techniques from the literature. We find the point where existing DAD 
solution techniques become either intractable or excessively time intensive to solve the 
problem. Our goal is to develop alternatives and improvements to the nested 
decomposition approach to solve DAD CSP problem instances more efficiently. 

We improve the time it takes to find a solution to a DAD CSP instance by 
applying Lagrangian relaxation. Ahuja, Magnanti and Orlin (1993) explain the use of 
Lagrangian relaxation on a regular CSP problem instance involving a small test network. 
Fisher (1981) notes that the Lagrangian relaxation is able to find a greatest lower bound 
on an original problem instance. Since only a greatest lower bound can be determined, we 
observe Lagrangian relaxation is a heuristic approach to finding a solution. 

We expand the Lagrangian relaxation techniques found in existing literature to 
include defending and attacking the CSP problem. We develop two different alternative 
algorithms for Lagrangian relaxation of DAD CSP. The first algorithm closes the gap 
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created by the Lagrangian lower bound by using path enumeration techniques proposed 
by Carlyle, Royset and Wood (2008). The second algorithm takes advantage of the fact 
that iterative Lagrangian relaxation searches for the greatest lower bound and the attacker 
model seeks to maximize the length of the shortest path. These similar goals allow us to 
combine the attacker problem and Lagrangian relaxation into a single mathematical 
model. Both algorithms are able to find a heuristic solution to DAD CSP quickly. 

We also develop algorithms to combine our heuristic approaches with traditional 
methods to obtain provably optimal or near optimal solutions. By themselves, our 
improvements to Lagrangian relaxation remain a heuristic approach to the DAD CSP 
problem. The goal of our combined algorithms is to reduce the time required to obtain an 
optimal or approximately optimal solution to a DAD CSP instance when compared to 
regular nested decomposition. We test our algorithms on medium and large networks to 
show the scalability of our innovative approaches to solve the DAD CSP problem. Our 
results show that our new algorithms are significantly faster than regular nested 
decomposition to find an optimal or near optimal solution to a DAD CSP instance. 
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II. IMPLICIT ENUMERATION OF DAD PROBLEM 


A. IMPLICIT ENUMERATION THEORY 

Wagner (1975) gives a general goal for any enumeration algorithm as follows: 
“What we want are techniques that partially enumerate a manageable number of 
possibilities and implicitly enumerate the rest” (p. 473). The method of systematically 
discarding provably suboptimal combinations of decision variables is called Implicit 
Enumeration (IE). Formally, IE refers to “a systematic evaluation of all possible 
[feasible] solutions without explicitly evaluating all of them” (INFORMS, 2015). We 
develop an IE algorithm for defender-attacker-defender (DAD) problems that enumerates 
defense plans in a specific order. We use a bounding argument based on evaluating the 
resulting attacker-defender (AD) subproblem to significantly reduce the amount of 
enumeration required. 

IE represents an alternative algorithm to obtain solutions for DAD problem 
instances. IE does not use the traditional nested decomposition algorithm in Chapter 1. 
Our enumeration algorithm manipulates the defense budget to restrict and relax the 
feasible region of the defense variables (T) in DAD model (2.1a). Our IE algorithm 
systematically fixes defense variables (W) and solves a series of bi-level AD models 
shown in (2.1b). The IE algorithm can also find multiple equivalent solutions to a 
problem instance when they occur. Similarly, if all solutions within a given percentage of 
the optimal solution are desired, IE can generate all of possible objective function values 
and the combinations of variables needed for each solution. 

min max min f(W,X,Y ) 

IVe'Y JTeE YeY(IV) 

max min f(W,X,Y) 

XcE Y sY(#) 

The IE algorithm creates a tree of AD subproblems beginning with the restriction 
of the defense budget to zero units at the root node, followed by incremental relaxations 
of the defense budget at subsequent nodes. Every node in our enumeration tree represents 


(2.1a) 

(2.1b) 
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an instance of an AD subproblem with a fixed defense plan (W) that produces a 
corresponding worst-case attack (X). The children of this parent node are specified by 
adding one more fixed defense (W) to the defense plan if its corresponding AD 
subproblem results in either a change to the worst-case attack (X) or an improvement of 
the objective function value. Enumeration of fixed defenses in child nodes is ended when 
the relaxed defense budget reaches its original value. 

In this chapter, we utilize the DAD minimum cost flow problem formulation and 
the 16 node fuel transportation network (Alderson et ah, 2015) described in Chapter I. In 
the remainder of this chapter, we assume that there are exactly two defense options for 
each edge: do means no defense (or no construction for an edge that does not have 
capacity in the undefended case) and dj represents the sole defense option for any edge 
that can be defended or built. We use the term defended to refer to edges for which we 
choose option di and “undefended” for edges which we choose option do. In cases where 
we want to model more than these two defense options for an edge, our discussion 
generalizes in a straightforward way. 

1. Enumeration of Defenses in the Literature 

Scaparra and Church (2008) develop an enumeration algorithm to solve a specific 
optimization problem called the “R-Interdiction Median with Fortification” (RIMF) 
problem, which is concerned with the defense of a limited number of facilities against 
attack. These authors uses duality within (2.1b) to treat a tri-level optimization problem 
with a bi-level model in (2. lc). 

max f(W,X,7t,a ) 

x ^.“ eE (2.1c) 

Scaparra and Church state “In our specific case, the attacker-user problem can be 
modeled as a single-level mixed-integer [program] (MIP), so that what is in principle a 
tri-level defender-attacker-user problem can be reduced to a bi-level min-max problem” 
(2008, p. 1906). Scaparra and Church take advantage of the operator model continuous 
variables (Y) in order to reduce the bi-level AD model (2.1b) into a single level 
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optimization model similar to (2.1c). IE has not been successfully implemented on a tri¬ 
level DAD optimization problem without using duality. Scaparra and Church state “To 
the best of the authors’ knowledge, no efficient algorithms have been proposed to deal 
with three-stage defender-attacker-user problems” (2008, p. 1906). 

In the RIMF problem, Scaparra and Church (2008) observe that the optimal 
defense against a worst-case attack must include at least one of the items that would be 
attacked if the system was undefended. To prove their point, the authors choose a starting 
point in IE of an undefended system, where all of the defense variables are fixed to zero, 
and observe the worst-case attack. Next, the authors observe that the only way to prevent 
the worst-case attack from occurring again is to defend one of the items that was attacked 
in the undefended scenario. The authors reason that “this observation can be easily 
explained by noticing that if none of the facilities in the optimal interdiction set is 
protected, then it is still possible to interdict all of them and the worst possible case of 
interdiction is not prevented” (2008, p. 1910). 

This observation serves as one of the key concepts for our IE theory. At each node 
of IE, a subproblem is formed and a worst-case attack is observed. The AD subproblem 
in RIMF is similar to (2.1c). In the RIMF problem, the next layer of the IE tree is created 
by enumerating a fixed defense (W ) for each of the observed attacks in an AD sub 
problem. The authors realize that any other defense that is not responding to a specific 
attack is not going to prevent that same attack from occurring again. Therefore, if the 
next defense chosen in the subsequent round of IE does not specifically prevent the worst 
attack from occurring again, then the selection of that particular defense at that particular 
time must be a suboptimal choice. 

2. Contributions to IE Theory 

To the best of our knowledge, this is the first IE scheme of its type designed for 
the general DAD model. We provide an enumeration scheme similar to that proposed by 
Scaparra and Church (2008), but enhanced to handle the more general case. Our research 
makes two advances in IE theory. First, we expand IE theory to include more general tri¬ 
level DAD models. Our algorithm has the ability to use the dual MIP approach (2.1c) and 
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it can also incorporate solution procedures using (2.1b) for other tri-level DAD models 
where the dual MIP technique cannot be used. In this case, IE of fixed defenses results in 
bi-level AD sub problems that can be solved with traditional methods. 

Our second contribution to IE theory is that our algorithms include the ability for 
IE to include network design as a potential defense for a tri-level DAD model. We 
introduce the ability to add new edges as system defenses. In the RIMF problem, 
Scaparra and Church (2008) note that defending each of the worst-case attacks one by 
one will lead to changes in the worst-case attack, and therefore they should be the only 
candidates for defenses. In the more general DAD setting, however, a defense variable 
can refer to the creation of new components. If the capacity of an undefended arc is zero, 
but the capacity of a defended arc is non-zero, then that arc only exists if we defend it. 
We define new edge transport capacity (u) to be zero when the edge is not added to the 
network (do), and greater than zero when it is added to the network as a defense (di). In 
this case, our enumeration must allow that new edges can alter the performance of the 
system, and therefore can reduce the impact of the worst-case attack. 

Proposition 2—1: The addition of new edges is a feasible defense strategy against worst- 
case attack. 

In the RIMF problem, prevention of a worst-case attack must include defending at 
least one of the items in the worst-case attack. We prove that this observation does not 
hold for a general DAD problem instance where new edges can be used as defenses with 
a counterexample. We consider the test network with a defense budget of four units and 
attack budget of two units. The undefended attack plan would be to attack edges (2, 7) 
and (9, 13) resulting in a system cost of 62. The optimal defense is to build the new edges 
(3, 8) and (5, 10), which does not involve defending one of the original attacked edges. 
Furthermore, the optimal system cost has improved to 37 and the attackers new best 
attack plan is to interdict edges (8, 12) and (11, 12). The resulting best defense of the 
network no longer involves the original attacked edges, or any existing edge in the 
original network. The two graphs in Figure 3 show the results, with defended edges in 
blue and attacked edges with a red “X.” 
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Undefended Worst-case Attack 


Optimal Defense and Worst Attack 


Figure 3. Optimal Defense with Addition of Edges on Test Network 


Our counterexample shows there are other choices in the general DAD problem 
besides defending existing edges to prevent an observed worst-case attack. The challenge 
is to determine an efficient algorithm to enumerate defenses when new edges can be 
added to defend a system. 

B. ENUMERATION TREE CONCEPTS 

Our enumeration algorithm explores a tree of subproblems. Each node in the tree 
represents an AD subproblem with a specific fixed defense that is based on a restriction 
of the original defense budget. The AD subproblem instance for a node is a simplified bi¬ 
level model that is easier to solve than the original tri-level DAD optimization problem. 
Child nodes represent the inclusion of one additional fixed defense in response to the 
worst-case attack observed in a parent node AD subproblem. 

The root node in our enumeration tree represents the initial restriction of the 
original DAD problem instance to a defense budget of zero units. Thus, the AD 
subproblem associated with the root node has no fixed defenses. 

Branches from a parent node represent the choice of one new defense in response 
to the worst-case attack of an AD subproblem for a parent node. Any defense chosen as a 
branch must improve system performance or change the worst-case attack observed at the 
parent node. Thus, each branch represents one defense that is an appropriate response to a 
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worst-case attack of a parent node. Conversely, the branches that form a path from the 
root node to a particular node give the fixed defenses of the AD subproblem at that node. 

Other nodes in the IE tree represent AD sub problems that relax the defense 
budget restriction at the root node. Any node can be identified by its depth and breadth. 
Depth is defined as the axial distance on the tree from the root node. The depth of the 
node in the tree tells the number of defenses that are fixed in its accompanying AD 
subproblem instance. Depth starts at zero at the root node because the root node has zero 
fixed defenses. Tree depth grows by one for each additional defense. For example, if a 
node has a depth of two in the IE tree, then the AD subproblem associated with that node 
has two fixed defenses. Breadth is defined as the number of nodes at a particular depth. 

Child nodes on a tree are created when the remaining defense budget of a parent 
node is greater than the cost of adding an additional defense. Branches based on defenses 
against the worst-case attack of a parent node represent fixed defenses to be embodied in 
new AD sub problems associated with new child nodes. A leaf node on the tree occurs 
when the number of fixed defenses at a node exhausts the original defense budget. A 
defense budget could be exhausted at different depth levels for different nodes because 
the cost of defending existing edges or adding new edges may not be the same. 

Traditionally, elimination of sections of an enumeration tree that cannot lead to an 
optimal solution is called pruning (Wolsey, 1998, p. 94). We seek to prune the IE tree by 
developing characterizations of a suboptimal solution to the DAD problem or 
corresponding AD sub problem. The pruned sections of the tree will not need to be 
explored because an optimal solution could not be developed from the nodes representing 
these AD subproblem instances. In this chapter, we develop some pruning rules that use 
the development of a decreasing upper bound on the DAD master problem to eliminate 
many possible defense combinations from consideration. 

1. Data Structures at an IE Tree Node 

To better understand how a node functions in an IE tree, we describe what each 
node represents and the various pieces of infonnation that each node maintains. Each 
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node in the IE tree represents an AD subproblem with a fixed set of defenses. Each node 
maintains several distinct pieces of information. 

• Parent[n] is the parent node of node n. Only the root node does not have a 
parent. 

• Children[n] is a list of the child nodes for a node n. Child nodes have one 
additional fixed defense than the AD subproblem of a parent node. 

• Branches[n] is a list of branches from a parent node n to child nodes. 
Branches represent the addition of a defense to either improve the 
objective function of the parent AD subproblem or change the parent node 
worst-case attack. 

• Objective[n] is the objective function value of the AD subproblem 
solution of Equation (lb) or (lc) associated with node n. 

• Attack[n] is the subset of edges of the worst-case attack associated with 
the AD subproblem solution of node n. 

• Budget[n] is the amount of defense budget utilized at node n. We subtract 
the budget utilized at a node from the original total defense budget to 
determine the amount of remaining defense budget available for a child 
node. Selecting an existing edge for a fixed defense or adding a new edge 
as a fixed defense at a child node subtracts from the remaining defense 
budget inherited from a parent node. If the remaining defense budget is 
less than the cost of any defense, then the node is a leaf of the tree. 

• Inclusion[n] is the list of fixed defense edges at node n. It is a subset of 
edges (i, j) that are fixed to the defended option (di). Inclusion lists are 
inherited from parent nodes and expanded. For example, W ijd =1. 

• Exclusion[n] is the list of edges that cannot be defended at node n. It is a 
subset of edges (i, j) that are fixed to the undefended defense option (do). 
Exclusion lists are inherited from parent nodes and expanded. For 

example, W jd = 1. 

2. Requirements of IE tree branches 

A branch from a parent node in the IE tree represents one new defense to select in 
response to the worst-case attack of the subproblem contained within a parent node. A 
new defense could be the protection of an existing edge or the addition of a new edge to 
the network. In order for a branch to exist, three things must be true. 
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• There must be enough remaining defense budget to allow for a new 
defense to the system. In the test network, adding new edges as defenses 
costs more than defending existing edges. The new defense is represented 
by the formation of a new child node at the end of the branch. 

• An unprotected or unadded piece of the network must exist to defend. 

• The defense option that is considered by the branch must result in a 
change of the worst-case attack plan or an improvement in the subproblem 
instance objective function value from the parent node to the child node. If 
a change does not occur, the defense was not effective in prevention of the 
worst-case attack encountered in the parent node AD subproblem. If the 
AD subproblem objective function value gets worse from parent node to 
child node, the defender is not making an improvement to the system. 
Defenses that worsen the objective function are not added to the IE tree. 

C. IE ALGORITHM FUNDAMENTALS 

The strategy to optimally solve a DAD problem instance with IE is to restrict the 
defense budget to zero and then relax it one unit at a time. We start with an undefended 
system and then add defenses to AD sub problems one at a time until the defense budget 
is exhausted. Existing edge defenses can be added one by one if they either change the 
worst-case attack of the parent node or improve the parent node objective function value. 

The optimal solution to the root node AD subproblem forms an upper bound on 
the master problem. The attack plan of the root node AD subproblem provides one of two 
methods to add branches to the next level of depth in an IE tree. Branches from the root 
node are added by defending each of the attacked edges from the root node worst-case 
attack one by one. Additional branches can also add a new edge as a defense, as long as it 
improves system performance or changes the worst-case attack. 

Child nodes from each branch represent the network with the addition of either a 
defended or added edge. Each child node is a new AD subproblem instance because it has 
new fixed values for the defense variables (W). The optimal solution to each of these 
new AD subproblem instances determines the child node objective function value and 
worst-case attack. Each AD subproblem instance optimal solution may also improve the 
upper bound on the DAD master problem instance. Each child node then becomes a 
parent node to determine the next new defense if the remaining defense budget is not 
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exhausted. Branches from each new parent node are fonned in the same manner. This 
process repeats until the defense budget is expended. When a node is created with no 
remaining defense budget, that node is called a leaf node. 

The inclusion list and objective function value of a node represents a feasible, but 
not necessarily optimal, solution to the original DAD problem. The node or nodes with 
the best objective function value represent the optimal solution to the original DAD 
problem instance. Figure 4 illustrates the beginning of an IE tree based on the test 
network with a defense budget of three units and an attack budget of two units. The 
system cost is shown as the objective value in the tree. 



Figure 4. Portion of an Implicit Enumeration Tree 

1. Skipping and Reconsideration of Potential Defenses 

Branches form from a node based on defenses that can either improve the 
objective function value or change the worst-case attack. Only certain existing edges and 
certain new edges will meet the criteria for becoming an additional defense from a parent 
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node to a child node. Those edges that do not become defenses from a parent node to a 
child node are “skipped” from consideration for branches at a parent node. We use the 
term skipped because these edges are not permanently prohibited from being a defense. 
Each child node formed from a parent node via a branch represents a new AD 
subproblem instance. Each child node AD subproblem might feature a different worst- 
case attack that could be improved by defending an edge that was skipped by one of the 
previous parent nodes. This concept of skipping edges as enumerated defenses at an AD 
subproblem instance and then reconsidering them in subsequent AD subproblem 
instances is an essential feature of being able to efficiently construct an IE tree. 

2. Avoiding Repeated Calculations 

In order to improve the computation efficiency of our basic IE algorithm, we can 
perform a procedural check in the algorithm to prevent identical calculations from being 
performed more than once. Absent any oversight, an IE tree could have repeated 
inclusion lists at different nodes which would cause identical calculations. A repeated 
inclusion list will have all of the same elements, but that combination of defense elements 
may be ordered in a different permutation. Both of these nodes would have the same AD 
subproblem instance because the order of defense items does not affect the calculation. 
Repeat defenses at different nodes mean that the same AD subproblem instances must be 
computed multiple times. Calculating the same AD subproblem instance more than once 
is inefficient. The problem of repeating calculations is shown in a snippet of an IE tree of 
the test network with defense budget of two units and attack budget of four units in 
Figure 5. In the example, one node has an inclusion list to defend edges (10, 13) and (8, 
12) and another node has an inclusion list of edges (8, 12) and (10, 13). 
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Figure 5. The Potential for Repeated Calculations in an IE Tree 

The exclusion of repeated calculations can be thought of as a simple pruning 
mechanism for an IE tree. An exclusion list of previously considered defenses should be 
maintained for each node to prevent repeated identical AD subproblem instances. The 
exclusion list for a node is made by examining the defense chosen by the branches 
formed from a parent node. The first branch of a parent node does not exclude any new 
defenses, but the second branch prohibits the defense chosen by the first branch. The 
third branch prohibits the defenses chosen by the first two branches, and so on. Exclusion 
lists at a node will also include the exclusion lists of a parent node. The exclusion list can 
be stated as follows: 

Exclusion rule: Once a branch is formed from a parent node that represents a particular 
defense, all subsequent branches from that parent node are prohibited from utilizing that 
defense. All descendent nodes from those subsequent branches are prohibited from 
selecting that defense as well. 

For example, in Figure 5, if the first node at depth one defends edge (8, 12), then 
all of the other child nodes at depth one from the same parent node will be prohibited 
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from also defending edge (8, 12). When there are child nodes at a particular depth from 
different parent nodes, the exclusion list rule only applies to the child nodes from the 
same parent node. Exclusion lists are made from side to side for all of the branches from 
a particular parent node, with the beginning nodes not excluding anything, and following 
nodes excluding defenses that have been attempted by previous nodes at the same depth. 
Exclusion lists are passed from parent to child node and then appended with the excluded 
edges at the new depth. With the exclusion list mechanism, repeated calculations of the 
same AD subproblem instance are eliminated from the IE tree. Figure 6 illustrates how 
exclusion lists grow by showing a part of the IE tree for defense budget of three units and 
attack budget of two units. In the example, defense of edge (2, 7) is initially considered in 
depth level one, and excluded by all other nodes at that depth. 



Figure 6. Exclusion Lists in an IE Tree 


D. PRUNING OF NEW EDGES 

The term new edge refers to an edge that has zero transport capacity (u) under the 


undefended defense option (do), and a transportation capacity (u) greater than zero when 
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defended (di). This type of edge can be thought of functioning in the network only if it is 
chosen as a defense. When considering how to evaluate the design of new edges as 
defenses to a network, we desire to develop a rule to exclude or prune some of the new 
edges from the tree when it is known that they will lead to suboptimal solutions of the 
DAD problem instance. In order to use an IE strategy for a network that has the 
capability of new edge design, a different approach is required than seen in Scaparra and 
Church (2008). The simplest method for an IE tree with new edges would be to consider 
every new edge for each node in the tree one at a time for network defense. But, the 
problem with considering each new edge at each node is that the total number of nodes in 
the enumeration tree will be very large. Without a rule for excluding some new edges at 
each new node, the resulting algorithm would perform inefficient explicit enumeration. 

We also desire to develop a pruning rule that preserves the ability to implicitly 
enumerate defenses one at a time. Situations may exist where considering new edge 
defenses one at a time in an enumeration scheme may fail to identify the optimal defense. 
We show that situations exist where new edges could be considered in groups of two or 
more as a single defense. We desire to eliminate those situations from our enumeration 
strategy because it can result in a combinatorial explosion of the number of defenses that 
would need to be considered at each node. 

1. A Simple Pruning Rule for New Edges Is Incorrect 

Unfortunately, we cannot employ a simple pruning rule that restricts our 
consideration to those new components whose addition improves the performance of the 
network or reduces the impact of the worst-case attack. The following counterexample 
shows why a simple pruning rule does not always generate to the optimal defense. 

Consider the simple five node network in Figure 7. The objective of the network 
is to move resources from source to destination at minimum cost. Define a transshipment 
node as a node where no source or demand for resources exists. A source node is black, a 
destination node is white, and a transshipment node is grey. Each destination node 
requires one resource, and the source node has exactly enough resources to fulfill all 
requirements. There is a cost of one unit to move one resource over any one edge. Edges 
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have unlimited capacity, and attacked edges are unusable. There is a penalty cost of 10 
units if a destination node does not receive a resource. There is no cost for either using or 
not using a transshipment node. Existing edges are solid lines, and edges that may be 
added to the network are dashed. New edges can transport resources only if built. Nodes 
1 through 4 are connected as shown, and node 5 is disconnected. Node 5 may be 
connected with the addition of one or more of the dashed line edges. The attacker has a 
budget of two units. The defender has a budget of two units, and defending an existing 
edge or building a new edge both cost one unit. Newly added edges to the network are 
invulnerable to attack. 
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Figure 7. A Minimum Cost Flow Network with a Transshipment Node 

Proposition 2-2: If new edges that could be added to a network are connected to a 
transshipment node, then the new edges cannot be considered for exclusion one at a time 
in an IE tree if no change to the worst-case attack or improvement in network 
performance is observed. 

Proof of Proposition 2-2: Proof via contradiction. Assume to the contrary that 
new edges connected to transshipment nodes are considered one at a time for addition to 
the network. We use the five node network of Figure 5 as an example. The undefended 
attack plan for the root node would be to attack edges (1,2) and (1,4) which disconnects 
that source from the network and stops all flow of resources. The attack is a minimal 
edge-cut (Chartrand & Zhang, 2012, p. 116) of Figure 7. The undefended objective 
function would have value 30 because each destination node would each incur the 
penalty cost and no resources would flow over edges. Considering the addition of edge 
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(1, 5) by itself to the network as one defense would not have any effect, since no 
resources would reach their destination with this one addition. No resource would flow 
from node 1 to node 5 because there is a cost of 1 to use edge (1, 5) and no incentive to 
move one unit of resource to node 5. A similar argument applies to the addition of edge 
(3, 5). In both cases, these singular defenses would neither change the worst-case attack 
nor the network objective function value. If we consider new edges one at a time, both 
new edges would be excluded from the first set of branches to the IE tree. The optimal 
solution to this problem, though, is to add both edges (1, 5) and (3, 5) to the network 
simultaneously. Note that each source and destination node in the network with both new 
edges added is now 3-connected (Chartrand & Zhang, 2012, p. 117). Since each source 
and destination is 3-connected, the attacker cannot use two attacks to stop the flow of 
resources from any source to any destination. Notice that the resulting objective function 
of the defended network would improve to eight, but the worst-case attack would not 
change. Thus, a contradiction is reached because the optimal solution for the DAD 
problem instance can only be found in this network by considering both new edges 
simultaneously. Figure 8 shows the result, and the numbers above the edges represent the 
amount of resource flow on that edge.* 



Figure 8. New Edge Consideration with Transshipment Nodes 


We make another proposition about new edge exclusion in enumeration trees that 
does not rely on transshipment nodes with the network in Figure 9. In Figure 9, assume 
source node 1 has supply of three resources and source node 2 has a supply of one 
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resource. Both of the source nodes have exactly the amount of supply that is required by 
the destination nodes that they are connected to. Edges (1,2) and (4, 6) do not currently 
exist, but they may be added as defenses. The defender has a defense budget of two units, 
and the attacker has a budget of one unit. Again, destination nodes are white, have a 
demand of one resource each and have a penalty cost of 10 if the demand is not satisfied. 
Solid lines are existing edges, and dashed lines are edges that could be built as defenses. 
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Figure 9. A Minimum Cost Flow Network with No Excess Supply 

Proposition 2-3: If source nodes do not have supply in excess of the total demand at 
destination nodes, then no new edges that could be added to a network can be considered 
one at a time in an IE tree. 

Proof of Proposition 2-3: Proof via counterexample. Assume to the contrary that 
edges could be excluded one at a time in a network that has nodes with no excess supply 
and consider Figure 9. In Figure 9, the worst-case attack would be to attack edge (1,3) 
which cuts off flow to nodes 3, 5 and 6, resulting in an objective value of 31. The first 
best defense would be to defend edge (1, 3) to restore flow. Building edge (1,2) by itself 
would have no effect on either the worst-case attack or optimal value, since the worst- 
case attack would still occur at (1,3) and cut off the same nodes. Building edge (4, 6) by 
itself would also have no effect on either the worst-case attack or optimal value, since no 
resources could travel over the new edge. In this case, the IE tree would exclude both 
new edges from further consideration. The IE algorithm would next attempt to fonn the 
second defense. With edge (1, 3) defended in the first round of enumeration, the new 
worst-case attack would be edge (3, 5) to cut off flow to nodes 5 and 6. When 
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considering the second level of defenses, the IE tree algorithm would not be able to 
consider both new edges together, because the formation of the first layer of depth of the 
tree would have excluded both edges individually. The IE tree would only consider the 
new edges individually for the second defense, and they would not be optimal. However, 
the contradiction occurs because the optimal defense is to build both edges (1,3) and (4, 
6). The worst-case attack in response to this defense is unchanged. This defense would 
not be found by examining new edges for addition one at a time. When the two new 
edges are added simultaneously, the network topology becomes a 2-connected graph 
(Chartrand & Zhang, 2012, p. 115). Any single attack will result in a network that is still 
a 1-connected graph, and all resources can flow to all destination nodes. Figure 10 
illustrates the proof.* 
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(a) Undefended Worst-case Attack (b) Optimal Defenses and Resulting Attack 

Figure 10. Lack of Supply in Excess of Total Demand 

2. Excess Supply and Incentive 

Propositions 2-2 and 2-3 provide ample evidence that the simple pruning rule is 
flawed. But, we still desire a decision rule for pruning some new edge branches in an IE 
tree. In order to develop a pruning rule that can incrementally add defenses one at a time, 
we must first introduce some additional terminology. 

Define excess supply as a source node that has more resources available than it 
can deliver to all destination nodes that are connected to it. A source node is connected to 
a destination node by one or more paths of existing edges or previously added edges. This 
definition allows for the possibility that the network could be connected or disconnected 
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into multiple subnetworks. If an entire network is connected, excess supply means that 
the sum of all capacities of all source nodes is strictly greater than the sum of all demands 
of all destination nodes. Similarly for disconnected subnetworks, excess supply means 
the sum of all capacities of all source nodes in a subnetwork is strictly greater than the 
sum of all demands from all destination nodes in that subnetwork. Without excess supply, 
the situation in the previous proposition could occur. 

Incentive is defined to mean that the cost to transport resources over a network 
from a source node to a destination node is less than the penalty cost for failing to fulfill 
demand at a destination node. Incentive assumes that a demand exists for a resource at a 
destination node. When incentive exists, the optimal solution will transport resources 
from source to destination because the cost of doing so is less than the penalty for not 
doing so. If incentive does not exist, then no reason to improve a network to transport 
supply to demand exists either. 

Proposition 2-4: New edges must have an incentive to be built in order to be considered 
as defenses in an IE algorithm. 

Proof of proposition 2-4. Assume to the contrary that edges did not need to have 
incentive to be considered in IE. For example, Figure 11 shows a supply node with more 
resources than demanded at nodes 2 and 3. The edge that connects nodes 1 and 2 has a 
cost less than the demand, so an incentive exists for resources to be transported to node 2. 
But, the new edge that connects nodes 2 and 3 would create a path from node 1 to node 3 
that would have a traversal cost of eight units, which is more than the penalty of five 
units for not satisfying demand at node 3. In this bizarre case, the optimal solution would 
be for the resource to remain at the supply node and not travel to demand node 3, because 
it would cost more to transport the resource than to leave the destination unsatisfied. 
Optimally, edge (2, 3) would not be added to the network. The situation in Figure 11 can 
be avoided if the maximum cost of any acyclic path with new edges between source and 
destination nodes is less than the penalty at a destination node. If all edges have a unit 
cost, then the graph theoretic measure of “distance” between source and destination must 
be less than the penalty for failing to fulfill demand (Chartrand & Zhang, 2012, p. 15).- 
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Figure 11. No Incentive Exists for New Edge to Demand Node 


For the next proposition, consider Figure 12. Figure 12 contains three 
subnetworks that are each connected with existing edges. Subnetwork A only has demand 
nodes without any supply, so unmet demand exists. Subnetwork B has supply and 
demand nodes, but no excess supply exists. Subnetwork C has supply and demand nodes, 
and there is more supply available than demand. The interconnection edges between the 
subnetworks that are shown by the dashed lines between nodes 1 and 2 and 3 and 4 do 
not currently exist, but could be added as extra defenses. The penalty for unmet demand 
is significantly higher than the cost of transporting resources over the longest possible 
path that could interconnect any source and destination node across subnetworks. There 
is sufficient defense budget to add both new edges. Subnetwork A is a connected, but it 
penalizes the overall network objective function because of unmet demand. Subnetwork 
B is connected, and there is enough supply to satisfy demand, but nothing in excess. 
Subnetwork C is connected, and there is significant excess supply. 



Figure 12. Disconnected Subnetworks with Unbuilt Connecting Edges 


Proposition 2-5: Source nodes must have excess supply and new edges must have 
incentive in order to consider the incremental addition of new edges individually in an 
enumeration strategy. 
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Proof of proposition 2-5: Proof by counterexample. Assume to the contrary that 
network source nodes did not need to have excess supply and new edges did not needed 
incentive and consider Figure 12. Suppose new edges were considered as network 
defenses individually for addition. In the first round of selecting defenses incrementally, 
new edge (1,2) would not be added to the network because adding it alone does not have 
an effect on the network. Incentive exists for resources to travel to subnetwork A over 
edge (1, 2), but no extra resources exist in subnetwork B to utilize the new edge (1, 2). 
The lack of excess supply in subnetwork B would mean that if edge (1,2) was utilized, 
then penalties would be incurred in subnetwork B to satisfy unmet demand in subnetwork 
A. The travel cost of resources over new edge (1,2) would make the addition of edge (1, 
2) by itself a suboptimal solution. Also in the first round of selecting defenses, new edge 
(3, 4) would not be added to the network by itself because it would have no effect either. 
Excess supply exists in subnetwork C, but no incentive exists over edge (3, 4) for the 
extra resources to only travel to subnetwork B. All demand in subnetwork B is already 
satisfied. In the second round of selecting defenses incrementally, edges (1,2) and (3, 4) 
again would be considered individually and neither would be added for the same reasons 
as in the first round. The contradiction occurs because the optimal solution would be to 
add both edges to the network so that the excess supply in subnetwork C could travel 
over both new edges to satisfy the unmet demand in subnetwork A. Adding both edges 
simultaneously is optimal because the high penalty cost for unmet demand creates 
incentive for the excess supply in network C to be able to reach the unmet demand in 
subnetwork A. Since the optimal solution is a contradiction, the proposition must be true. 
Excess supply does not exist in subnetwork B and that makes the addition of either new 
edge appear to be inconsequential when they are considered individually. 

The result from the example in Figure 12 is that when disconnected excess supply 
components and disconnected excess demand components are involved in a network, an 
incremental approach to enumeration can only be considered when a maximum distance 
of one potential edge can exist to connect the components. Figure 12 proves that if there 
are intermediate connections between excess supply subnetworks and unmet demand 
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subnetworks, then an incremental approach toward adding new edge defenses will not 
work. 

The situation in Figure 12 could be avoided in at least two different ways. First, if 
the entire network was connected with other existing edges, then the situation would not 
arise. Second, if the source nodes in subnetwork B had excess supply, then incremental 
addition would be possible. Then, the new edge (1,2) would be added to the network in 
the first round of enumeration. If the excess supply in subnetwork B was not enough to 
completely satisfy the unmet demand in subnetwork A, then the second round of 
enumeration would add the new edge (3, 4) to the network. 

3. New-Edge Pruning Rule 

Based on the propositions encountered in the previous sections, it is possible to 
write a pruning rule for new edges that could be added to a network as defenses. But, the 
analyst must ensure that a network meets the criteria specified in the rule. The analyst 
must ensure the network has source nodes with excess supply and that incentive can 
occur over new edges that could be added to the network. 

Proposition 2-6 (Pruning rule for new edge defenses): Consider a network where new 
edges do not connect to transshipment nodes. If source nodes in the network have excess 
supply and new edges have an incentive to be added, then new edges considered in DAD 
IE must result in some type of improvement to the resulting system. Under these 
conditions, a new edge branch should be excluded from consideration at a particular 
node in a DAD network IE tree if it does not either change the worst-case attack or 
improve the system objective function value. 

Proof of Proposition 2-6: Consider an arbitrary network of excess supply source 
nodes, edges, potential new edges, and destination nodes where source nodes have excess 
supply. Additionally, no new edges connect to transshipment nodes. An improvement to 
the network objective function will occur if resources can travel more efficiently from 
source to destination with the addition of the edge. In order for the new edge to impact 
the network, resources must be able utilize the new edge. We must determine if excess 
resources can reach the new edge addition. There are two cases to consider for the new 
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edge, either a path exists from an excess supply source node to a node that connects to the 
new edge, or a path does not exist. 

Case 1, a path exists: Since we assume all source nodes have excess supply, then 
at least one source node has a path to at least one node that is connected to the new edge. 
At least one source node will be able to push its extra resources to one of the nodes on the 
end of the new edge. The node at the end of the new edge effectively becomes the 
equivalent of a new supply node because excess resources from the source node would be 
able to flow to it. The extra resources at the equivalent supply node are able to flow over 
the new edge to improve network objective function, or change a worst-case attack. 
Every new edge considered for inclusion will always behave like a source to source edge 
or a source to destination edge since we assume excess supply can reach the new edge. 
Since we assume no transshipment node at either end of the new edge, there is potential 
incentive for resource to flow on the new edge if it is added to the network. If the other 
end of the new edge is a destination node that already has its demand satisfied, the 
addition of the new edge may allow for a more efficient way to satisfy that demand, 
which would improve the system objective function. If the other end of the new edge is 
another source node, the new edge would create an equivalent “super source” node with 
combined resources that might result in more efficient flows. The improved efficiency of 
the system would be a reason to include the new edge in an enumeration tree. If the new 
edge does not provide a more efficient path to satisfy demand, then the addition of the 
new edge could be considered a waste and be pruned from the IE tree. 

Figure 13 shows an example of the potential effects of excess supply source 
nodes. If source nodes 1 and 2 both have excess supply, then they will be able to deliver 
extra resources to the ends of the new edge (4, 6). Source node 1 will be able to turn node 
6 into an equivalent source node since more than one resource can reach node 6. 
Likewise, source node 2 will be able to turn node 4 into an equivalent source node. 
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Figure 13. Equivalent Effect of Excess Supply Source Nodes 

Figure 14 extends the example against an attack. Recall the optimal attack on this 
network was edge (1, 3), which cut off nodes 3, 5, and 6. That attack would not allow 
node 1 to move any excess supply anywhere. But, the excess supply of node 2 would turn 
node 4 into an equivalent supply node. Then, the inclusion of edge (4, 6) would restore 
flow because the equivalent supply node 4 would be able to send resources across edge 
(4, 6) to satisfy some or all of the previously cut off demand, depending on the amount of 
excess supply. 



Figure 14. Attack with Excess Supply Source Nodes 

Case 2, no path exists: If no excess supply source node has a path to either end of 

a new edge, then it would be impossible for any resources to flow to either end of the 

new edge. Consequently, no resources would be able to flow across that new edge if it 

was added to the network. In this case, the new edge would not serve any purpose in 

improving the efficient flow of resources within the system, and this new edge also 
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would not provide a reason for the worst-case attack to change. The addition of a new 
edge that cannot have flow would be a waste of a resource, and it could be pruned from 
an IE tree. Case 2 is illustrated in Figure 15, where excess supply node 1 does not have a 
path to the new edge between destination nodes 3 and 4. The branch representing the 
addition of edge (3, 4) could be pruned from the tree." 



Figure 15. New Edge Unreachable by Excess Supply Source Nodes 


4. Examples of New Edge Pruning 

Since Proposition 2-6 provides us a rule to prune new edges in IE when the 
network has excess supply and incentive exists over new edges, we can examine some 
instances where pruning of a new edge may or may not occur. 

Observation 2-7: If new edges do not connect to transshipment nodes, then the only 
possible types of new edges are source to source, source to destination or destination to 
destination. 

New edges that connect source nodes to source nodes create a super supply node. 
The super supply node may be able to use the combined supply from both nodes to 
deliver resources to portions of the network that were previously unsatisfied. New edges 
that connect destination nodes to destination nodes create the equivalent of a super 
demand node, which would behave like a destination node with a much higher resource 
requirement. Behavior of super supply and super demand nodes in a network with excess 
supply can be easily seen by modifying a previous example to have excess supply. 
Consider Figure 16, with the worst-case attack shown. In Figure 16, the addition of edge 
(4, 6) creates an equivalent super demand of edges 3,4,5,6 to supply node 2. Since source 
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node 2 has excess supply, the addition of edge (4, 6) would be considered in the first 
layer of IE. But, even though node 2 has excess supply, it does not completely satisfy the 
demand. The second layer of enumeration to add the second defense would consider the 
addition of edge (1, 2) to the network which creates the equivalent of a super supply 
node. The new edge (1, 2) is added to the enumeration algorithm because an incentive 
exists somewhere in the network, specifically, the unsatisfied demand from node 3 that 
could exist on the path (1, 2, 4, 6, 5, 3). Since incentive exists, the edge (1, 2) is added to 
the network. 
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Figure 16. Worst-case Attack with Excess Supply Nodes 

The source to destination edge is the last type of new edges that may be added to 
a network. There are two possibilities for new edges with source to destination nodes. 

Possibility 1: The new edge is source to destination with previously unsatisfied 
demand. It should be obvious that addition of this new edge could improve the objective 
function value since the source node has extra resources available to send on the new 
edge to a destination that was previously penalizing the objective function for having 
unfulfilled demand. If the cost to transport between source and destination is higher than 
the penalty for unfulfilled demand, then incentive would not exist. 

Possibility 2: Source to destination with previously satisfied demand. There are 
four types of situations that could occur. 
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Situation 2a: If the cost of moving resources to the destination node can be 
improved by adding the new edge to the network, then that new edge would be a 
candidate for addition. 

Situation 2b: If the resource that is already satisfying the demand at the 
destination could be better utilized by satisfying some other demand on the network, then 
addition of the new edge will be an improvement and a candidate for addition. 

Situation 2c: If the addition of the new edge does not change the movement of 
previous resources, then does the satisfied destination node appear to be the equivalent to 
a super supply node with the addition of this new edge? The satisfied demand node could 
look like an equivalent supply node if there is another existing incentive in the network 
for the edge to be added. While the satisfied demand node itself may not present an 
incentive for the edge to be added, there may be another efficiency in a different part of 
the network that will make the satisfied demand node appear to be the equivalent of 
another supply node. 

Situation 2d: If the addition of the new edge does not change the movement of 
resources and there is no other existing incentive in the network for the edge to be added, 
then the candidate edge will not affect a change in the efficiency of the network nor 
change the worst-case attack. This new edge should be temporarily excluded from 
consideration in an IE algorithm. 

In order to illustrate how new edge pruning works on the test network, consider 
Figure 17. Figure 17 is a portion of the IE tree on the test network with a defense budget 
of four units and an attack budget of one unit. The black arrows in Figure 17 show the 
defenses that could be pruned from the tree. The new edges labeled for pruning have the 
exact same worst-case attack and objective function value as the parent node. In this case, 
these defenses do not make any improvement to the function of the system, in terms of 
system cost or worst-case attack. These potential defenses are ruled to be a waste of 
defenses since improvement in objective or change in worst-case attack did not occur, 
and can therefore be pruned from the tree. These edges will be reconsidered as additional 
defenses in different child nodes later on as the IE strategy continues. 
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Figure 17. Pruning New Edges in an IE Tree 


E. UPPER AND LOWER BOUNDS IN IE 

As the IE tree is explored, we can update the upper bound on the overall DAD 
problem solution when each node AD subproblem instance is solved. Every node 
represents an AD subproblem instance that is a feasible solution to the master DAD 
problem instance. Each time a feasible solution is computed, it can be compared to the 
best known feasible solution found on the tree so far. If the new node AD subproblem 
objective function value is better than the best known objective function value, then the 
upper bound on the master DAD problem can be updated. By updating the upper bound 
on the DAD problem with each new node, the best known solution can be retrieved at 
any point during the execution of the algorithm. 

A simple global lower bound for the DAD problem can also be computed. 

Consider a different restriction to the DAD problem, where instead of manipulating the 

defense budget, we instead choose to fix the attack budget. If the attack budget is fixed at 
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zero units, then we reduce a tri-level optimization problem to a different bi-level 
optimization problem. When there are zero attacks to consider, we have reduced the 
DAD problem to a “defender-operator” or “defender-defender” (DD) problem. The DD 
problem is also recognized as an example of the well-known network design problem 
(Magnanti & Wong, 1984). The DD problem is a mixed integer linear program since the 
only objective is minimization, as the attack variables are all fixed to zero, 
min min f(W,X,Y) 

WeY Y eY(W) (2 2) 

The formulation in Equation (2) is simply a restatement of the original DAD 
formulation (la), except that all of the attack variables (X) have fixed values of zero. The 
formulation of the DD minimum cost flow problem has all attack variables (X) fixed at 
zero, and removed from the problem. The system of Equations of (2.2a-h) are modified 
from the original DAD minimum cost flow model in Chapter I, with all of the attack 
variables removed from the formulation. 


Defender-Defender (DD) Minimum Cost Flow Formulation: 


m. in min £ £ c ijd ■ Y ijd + c jid • Y jid + Z S, 

ijd ’ ijd d ^ D hgN 

Subject to: 

Z Z Y njd “Z Z Y ind - s n < demand „ 

deD (n,j)eA deD (i,n)eA 

Z Y ijd + Yjid < »//,/ • w ijd 

z z h ijd • W ijd < defense _ budget, 

deD: ( i,j)eE 
d*d 0 

Z ^ =1 

deD 

Y i jd - 0 

W ijd e {0,1} 


'Pm 

(2.2a) 

\/n e N, 

(2.2b) 

V(z,y) e E,d eD, 

(2.2c) 


(2.2d) 

V(z,y) e E, 

(2.2e) 

V(z,y) e A, d eA 

(2.2f) 

V« e N, 

(2-2g) 

V(z, j) e E,d e D. 

(2.2h) 


The global lower bound obtained from the DD subproblem instance has limited 
use. The global lower bound represents the best operation of the system that a defender 
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could possibly experience when choosing defenses, since no attacks occur. The global 
lower bound provided by the DD subproblem gives the analyst a best case standard to 
measure the effectiveness of the best defenses against a worst-case attack. Calculation of 
the global lower bound is not required to produce an IE tree. 

A simple example of updating the bounds can be seen in Figure 18, a DAD 
problem instance of the test network with a defense budget of three units and an attack 
budget of two units. First, the DD network design subproblem instance of no attacks 
gives us a global lower bound of 22 units. We know that no feasible solution of the DAD 
problem instance can be less than 22 units. Next, the root node AD subproblem instance 
of no fixed defenses gives an objective function value of 62 units, which becomes our 
initial upper bound. The first AD subproblem instance at tree depth of one gives an 
objective function value of 50 units, which updates the upper bound. The second 
subproblem instance at depth of one gives an objective function value of 54 units. But, 
this value is not an improvement over the previous best known value, so the upper bound 
is not updated. The next AD subproblem instance node at depth one has an objective 
function value of 45 units, which updates the upper bound. The remainder of the tree is 
not shown in Figure 18 and 45 units is the optimal solution found at multiple nodes. 



Figure 18. Upper and Lower Bounds in an IE Tree 
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F. 


IMPLICIT ENUMERATION ALGORITHM 


The IE algorithm for the DAD problem has been implemented in the Python 
programming language with external calls to GAMS optimization software with the IBM 
CPLEX solver. We present the pseudo-code of IE to explain our algorithm in detail. Our 
algorithm builds and traverses the IE tree using a breadth first search strategy, and can be 
modified for other strategies. 

Main routine: 

Inputs: 

Network (supply nodes, destination nodes and costs & capacities of edges). 
Defense budget and attack budget for DAD problem instance. 

Set of new edges that can be added to the network satisfying three tests: 

New edges may not connect to transshipment nodes. 

Source nodes must have excess supply. 

Incentive must exist for new edge to be added to network. 

Outputs: 

DAD solution(s) = Best node(s) objective function value. 

DAD defense plan(s) = Inclusion list(s) with best objective function value. 

DAD attack plan(s) = Attack plan(s) of node(s) with best objective function value. 

Algorithm: 

Solve AD subproblem with zero defense budget for root node. 

Build tree with breadth first search strategy: 

Relax defense budget by one defense to increase depth of tree. 

While current depth < defense budget: 

For each node in breadth of depth: 

Make children with parent node data. 

Relax defense budget by one defense to increase depth of tree. 

Note: Multiple defense and/or attack plans may exist at optimal DAD solution value. 

Make children subroutine: 

Input: Parent node data (inclusion list, defense budget remaining, attack plan). 

Output: All child nodes with all calculations performed. 

Algorithm: 

Two options to create child nodes: 

(First option: make children by defending attacked edges of parent node.) 

If defense budget remaining at current node > edge defense cost: 

For every edge in current node attack plan: 

Add new child node to IE tree. 

Create node exclusion list with make exclusions. 

Inclusion list = inclusion list of parent node + edge. 

If inclusion list is in node exclusion list: 

Delete new node and new inclusion list. 
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If inclusion list not in node exclusion list: 

Solve AD subproblem for new node. 

Update upper bound with update solution. 

Set parent node of new node. 

Add new node to list of children of parent node. 

Decrease budget remaining at new node by cost of defense. 
(Second option: Make children of current node by adding new edges to network) 

If defense budget remaining at current node > new edge addition cost: 

If any new edge in parent node inclusion list OR in parent node exclusion list: 

Delete edge from list of new edges. 

For each new edge in list of new edges make a candidate node: 

Candidate inclusion list = parent node inclusion list + new edge. 

Solve AD subproblem for candidate node. 

If candidate objective function value < parent objective function value OR 
If candidate attack plan is different than parent node attack plan: 

Candidate node is added as a new child node to IE tree. 

Create node exclusions with make exclusions. 

Add a new branch from parent node with label of new edge. 

Update upper bound with update solution. 

Decrease budget remaining of new node by cost of adding edge. 

Make exclusions subroutine: 

Input: Exclusion list of parent node. 

Output: Exclusion list of child node. 

Algorithm: 

Set child node exclusion list to parent node exclusion list 
For each currently existing branch of parent node: 

Add edge label of branch to current node exclusion list. 

Update solutions subroutine: 

Inputs: 

Best known objective function value. 

List of tree node locations of the best known value. 

Current node objective function value. 

Outputs: 

Best known objective function value. 

List of node locations with that value. 

Algorithm: 

If current node objective function value is better than best known value: 

Set best known solution to current node objective function value. 

Set location of best solution to current node depth and breadth. 

If current node objective function value is equal to best known solution: 

Append current node depth and breadth to list of locations of best known value. 
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1. Depth First Search Algorithm Option 

Our IE algorithm is set up for the breadth first search tree exploration. If the 
analyst desires to perform a depth first search tree exploration, then the “build tree” step 
of the master algorithm can be replaced with this alternate version that uses a last in, first 
out stack data structure to explore the tree. Each node also has a new data element we call 
“visited” to check if the node has been visited before. 


(Alternate) Build tree with depth first search exploration strategy: 

Push root node to top of stack. 

Root node visited = False. 

While stack is not empty: 

Current node = Pop node from top of stack. 

Current node visited = True. 

If defense budget remaining at current node > defense cost: 
Call “make children” subroutine for current node. 

For each child node of current node: 

Push child node to top of stack. 

Set visit for child node = False. 


2. Algorithm Testing and Performance 

The IE algorithm is implemented on the test network. Results were checked 
against results obtained with the DAD problem nested decomposition algorithm and the 
DAD problem dual ILP with decomposition algorithm from Chapter I. Results were 
double checked with the solutions of the DAD problem on the test network found in 
Alderson et al. (2015). Solution times in seconds for DAD problem instances are shown 
for both decomposition algorithms and the IE algorithm in Table 3. 
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Table 3. Comparison of Solution Times for Different DAD Solution Methods 


Problem Instance 

Solution Time (Seconds) 

Multiple 

Optimal 

Solution 

Defense 

Budget 

Attack 

Budget 

Nested 

Decomposition 

Dual ILP + 
Decomposition 

Implicit 

Enumeration 

0 

1 

4.8 

0.7 

0.5 

NO 

0 

2 

5.4 

0.7 

0.4 

NO 

0 

3 

7.5 

0.7 

0.4 

NO 

0 

4 

4.2 

0.8 

0.4 

NO 

0 

5 

2.5 

0.7 

0.4 

NO 

1 

1 

10.0 

1.7 

0.8 

NO 

1 

2 

11.2 

1.8 

2.3 

NO 

1 

3 

12.4 

2.6 

1.6 

YES 

1 

4 

22.1 

2.3 

2.0 

NO 

1 

5 

12.8 

1.4 

2.5 

NO 

2 

1 

14.0 

2.4 

4.9 

NO 

2 

2 

16.8 

4.0 

5.2 

NO 

2 

3 

48.8 

4.3 

8.5 

NO 

2 

4 

64.5 

8.7 

10.5 

YES 

2 

5 

58.0 

11.0 

13.9 

NO 

3 

1 

11.9 

2.7 

9.3 

NO 

3 

2 

21.0 

2.7 

15.0 

YES 

3 

3 

40.1 

11.8 

35.1 

YES 

3 

4 

110.9 

14.3 

48.5 

YES 

3 

5 

147.4 

40.1 

58.2 

NO 

4 

1 

13.1 

2.0 

26.9 

YES 

4 

2 

41.6 

6.6 

50.4 

NO 

4 

3 

70.2 

10.5 

121.8 

NO 

4 

4 

156.1 

27.8 

188.2 

NO 

4 

5 

247.7 

61.0 

238.3 

YES 

5 

1 

8.1 

2.2 

58.7 

NO 

5 

2 

51.4 

8.7 

144.1 

YES 

5 

3 

106.2 

22.4 

440.7 

NO 

5 

4 

197.4 

37.6 

554.4 

NO 

5 

5 

322.1 

135.9 

826.1 

YES 

Totals: 

1840.2 

430.1 

2869.9 

9 


In general, Table 3 shows that the solution speed of the IE algorithm is roughly 
equal to or slightly slower than either decomposition approach for finding an optimal 
solution to the DAD problem on the test network. IE is the fastest algorithm only in the 
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case of zero defense budget. Table 3 shows that all of the algorithms take longer to solve 
a DAD problem instance when the size of the defense budget increases. But, IE becomes 
much slower than either decomposition method when the defense budget is five units. 

However, there is one perfonnance aspect of IE that makes it superior to both 
decomposition solution methods. IE is able to find many multiple optimal solutions at 
once, which is something that the nested decomposition algorithm cannot do. Table 3 
shows the problem instances where multiple equivalent optimal solutions exist. Both 
nested decomposition methods may be faster than IE, but they do not know if multiple 
equivalent optimal solutions exist, and they do not provide equivalent optimal solutions 
either. IE can inform the analyst of equivalent optimal solutions when they exist. If the 
analyst desires to find as many equivalent optimal solutions as possible to a DAD 
problem instance, IE is a good choice. IE also shows the analyst that when multiple 
optimal solutions exist, they need not always occur with a completely utilized defense 
budget. Similarly, an analyst could make a minor modification to the algorithm in order 
to use IE to find all solutions within a fixed percentage of the optimal solution. The 
analyst could specify a percentage of optimality desired for all solutions, and the IE 
algorithm would be able to identify all of these solutions. 

Proposition 2-8: When multiple optimal solutions are possible in a DAD problem 
instance, optimal solutions do not always occur at leaf nodes of the IE tree. 

Proof of proposition 2-8: Proof via counterexample. Assume to the contrary that 

optimal solutions can only occur at leaf nodes in an IE tree. Consider the test network 

with a defense budget of three units and an attack budget of two units. The optimal 

solution to the DAD problem is 45 units. There are seven nodes on the IE tree with an 

objective function value of 45, and one of those nodes is not a leaf node. When only one 

defense is fixed by adding edge (3, 8), the optimal objective function value is 45 units, 

but the defense budget is not exhausted. The worst-case attack are edges (10, 13) and (11, 

15). As it turns out, defending each of these attacked edges one at a time will create child 

nodes with defenses of (3, 8) with (10,13) and (3,8) with (11, 15). Both of these child 

nodes also result in optimal objective function values of 45 units. These child nodes are 

not pruned from the tree because the worst-case attack changes from parent node to child 
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node. In this case, the parent and child nodes in a subtree all share the same optimal 
objective function value. Figure 19 shows the multiple optimal solutions from a test 
network instance as green nodes. Thus, it is proven via counterexample that optimal 
solutions need not only exist at leaf nodes of an IE tree.* 



Figure 19. IE Tree with Multiple Optimal Solutions 

G. ENUMERATION SUMMARY AND CONCLUSIONS 

The IE algorithm works by restricting and subsequently relaxing the defense 
budget of the original tri-level DAD problem in order to generate easier to calculate bi¬ 
level AD sub problems that can help us find all reasonable choices of defenses. The 
restriction of the problem is perfonned by fixing the values of the defense variables (W ) 
one at a time. At the root node, the defender is restricted in having zero defense budget, 
which is the initial AD sub problem. At the first level of depth, the restriction of the root 

node problem is eased slightly because the defender is allowed one defense. At depth one 
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in the IE tree, the defender can choose only one defense that either improves the objective 
function or changes the worst-case attack of the parent node AD sub problem. This rule 
for node development at the next depth effectively prunes all other possible defenses that 
would be suboptimal. In this manner, explicit enumeration is avoided because all possible 
choices of defenses are not calculated in the tree. All of the AD subproblem instances in 
the IE tree are also easier to calculate than the original DAD problem instance. The 
methodology of preventing repeat calculations also helps to prune repeat calculations 
from the enumeration tree. The process of slight easing of the restriction on fixing the 
defense variables will continue throughout the formation of the IE tree until the defense 
budget is exhausted. Additionally, the formation of each new node perfonns a check for 
the updating of the best known feasible solution. This feature allows the analyst to be 
able to pause the algorithm and get the best known feasible solution at any time. 

Proposition 2-9: The IE algorithm is an exact algorithm that produces an optimal 
solution to a DAD problem instance. If the IE tree is completely explored, then one or 
more equivalent optimal solutions will be found to the DAD problem instance. 

Proof of proposition 2-9: An enumeration strategy lists all possible solutions to a 
problem instance. IE discards feasible combinations of decision variables that cannot lead 
to an optimal solution. In our implementation of IE for a DAD problem instance, we 
compute only those feasible combinations of defenses to worst-case attacks that can 
improve the objective function value or change the worst-case attack from a previous AD 
subproblem instance. The complete IE tree will list all feasible combinations of defenses 
that can either improve the objective function value or change worst-case attacks. The 
combinations of defenses that do not do either of those two things cannot lead to an 
optimal solution to the DAD problem instance. If the tree exploration is prematurely 
halted before completing the IE algorithm, an optimal solution might be found, but it also 
may exist in a portion of the tree that had not yet been completely explored.* 

However, IE does have a shortcoming. The size of an enumeration tree depends 

on the magnitude of the defense and attack budgets, the costs of defenses and attacks to 

those budgets, and the cardinality of the set of new edges that may be added to the 

network. The depth of the tree is equal to the number of defenses selected in AD sub 
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problems. The breadth of the tree at any particular depth depends upon the number of 
attacks pennitted by the attacker budget and the cardinality of the set of new edges. Thus, 
the shortcoming of IE is that the tree size can become incredibly large when either the 
defense budget, attack budget, or number of network design elements becomes large. 

In the case where there are no new edges that can be added to the network, the 
maximum size of the tree is straightforward to compute. The breadth of each level of the 
tree is the number of attacks raised to the exponent of the level of the tree. Thus, with 
three defenses and two attacks, the maximum size of the tree is 15 nodes. The maximum 
size is computed as follows: level zero consists of 2°=1 node; level one has 2 1= 2 nodes; 
level two has 2~=4 nodes; level three contains 2 =8 nodes. The maximum number of 
enumeration nodes in this tree is sum of all levels, 2° +2*+2 2 + 2 3 = 15 nodes. The tree 
gets really big fast. If there were 5 attacks and 5 defenses, the maximum number of 
enumeration nodes would be 5°+5 1 +5 2 +5 3 +5 4 +5 ? = 3906 enumeration nodes, each 
containing an AD mixed integer program (MIP) subproblem. However, the maximum 
size of the tree is not the actual size of the tree when exclusion lists are used to prevent 
repeated calculations. Nevertheless, we observe the problematic issue with IE is the 
number of MIPs to solve grows exponentially with the number of defenses allowed by 
the defense budget. Adding new edges into consideration makes the maximum number of 
nodes even larger. 

IE may not always be the fastest way to the optimal solution to a DAD problem 
instance, but this approach does have the unique capability of quickly identifying 
multiple optimal solutions. If an analyst needs to consider all equivalent optimal solutions 
in order to make a list of defenses to choose, IE may be a good choice. 
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III. NESTED DEFENSES IN THE DAD PROBLEM 


A. INTRODUCTION 

When faced with uncertain budgets and pressure to make good decisions quickly 
after defense budgets become known, military and civilian decision makers sometimes 
make use of a prioritized list of assets to defend in a system. Given a prioritized list and a 
realization of defense budget uncertainty, a decision maker may be inclined to choose to 
defend as many items from the top of the prioritized list downwards as he or she can 
afford. Prioritized lists can simplify decision making in uncertain budget environments, 
but this simplicity comes at the cost of optimality. Requiring the set of defenses to be 
presented as a prioritized list is equivalent to requiring monotonicity on the sets of 
defended assets as budgets increase. 

Uncertain budgets can refer to either an unknown defense budget, or an unknown 
attack budget of an adversary, or both. In the unknown defense budget scenario, decisions 
about which defenses to make to a system may need to be finalized before a defense 
budget is known. In the unknown attack budget situation, the defenders of a system may 
have to choose their defenses without any intelligence about the expected number of 
enemy attacks on a system. In the circumstance of complete budget uncertainty, the 
analyst knows nothing about the defense budget and the budget of their attacking enemy, 
but he or she must prioritize which defenses are best for a system. 

A nested defense means that for any pair of defender-attacker-defender (DAD) 
problem instances with different defense and/or attack budgets that the defense chosen 
with the smaller budget is a subset of the defenses chosen for a larger budget (Nehme & 
Morton, 2010). Nested defenses are a monotonic sequence of sets. A closely related term 
is “prioritization’, which is defined as the process of arranging choices in a list by their 
priority. In the context of the DAD problem, prioritization of defenses is the ability to 
rank the relative ability of each different defense to positively affect the objective 
function value against a worst-case attack. Koc and Morton state, “prioritization involves 
optimally placing activities into a priority list before the uncertainty is revealed, and, after 
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realizing the uncertainty, making an activity selection consistent with the priority list” 
(2015, p. 587). An example of a nested defense is a prioritized list of the best defense 
against any attack, second best defense, and so on. In the real-world problem of 
infrastructure defense, prioritization is a logical choice for planning against a wide range 
of possible defense and attack scenarios. “Prioritization is of interest when some problem 
parameters are random and we must commit to a ranking of the activities before these 
parameters are realized” (Koc & Morton, 2015, p. 586). 

Ranking the relative importance of defenses of a network into a prioritized list 
may seem to be a natural method for planning to defend a system when faced with 
uncertain budgets, but it is not optimal most of the time. Savage et al. (2006) refer to the 
suboptimal nature of prioritized lists as the “risk of ranking.” The authors note that “It is 
common when choosing a portfolio of capital investment projects to rank them from best 
to worst, then start at the top of the list and go down until the budget is exhausted. This 
flies in the face of modern portfolio theory which is based on the interdependence of 
investments” (2006, p. 22). In the case of the DAD problem, the choice of defenses 
represents the capital improvement projects mentioned by these authors. A prioritized list 
can simplify decision making, but it can lead to a suboptimal solution for any particular 
budget chosen. It is often the case that the one best defense of a system is not included in 
the set of the two best defenses, and so on. Brown, Carlyle, Salmeron and Wood, found 
that “a prioritized list of defended assets has a serious flaw... Such a list creates a 
“preferred set” of “n+7” assets by adding one asset to the preferred size But, we 
know that an optimal set of size “«” and an optimal set of size “n+7” may have nothing 
in common” (2006, p. 531). 

While it is known that nested defenses are often suboptimal solutions, an 
abundance of research on the impacts of requiring nested defenses for bi-level DA 
models or tri-level DAD models does not exist. “In spite of its common use in practice, 
prioritization has received little attention in the academic literature.” (Koc & Morton, 
2015, p. 587). One discovery is that the requirements for a naturally occurring nested 
defense in an optimization problem have been determined. Nehme and Morton show “the 
nestedness property hinges on supennodularity of the objective function and 
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submodularity of the [constraints]” (2010, sec. 3). However, these authors also conclude 
that many real-world problems do not exhibit these qualities. 

DAD models that include nested defenses with uncertain budget levels is a 
parametric programming problem. Bertsimas and Tsitsiklis describe parametric 
programming as a systematic procedure for obtaining objective function values for all 
values of a parameter (1997, p. 218). As a parametric programming problem, our DAD 
model places the uncertain parameter on the right hand side of the defense and/or attack 
budget constraints. When the defense and/or attack budget is uncertain, the analyst takes 
into account the entire range of budget scenarios in order to find a solution that contains 
common defenses. 

This chapter examines how much of an impact to optimality is incurred when 
nested defenses are required in a DAD problem instance with unknown defense and/or 
attack budgets. This chapter does not consider the idea of nested attacks by an adversary. 
We compare nested defense solutions against the optimal defense solutions to DAD 
problem instances in order to measure the effects of nesting. We use the DAD minimum 
cost flow problem formulation as well as the network of Alderson et al. (2015) described 
in Chapter I to illustrate nested defenses. Procedures to obtain optimal solutions to DAD 
minimum cost flow problem instances were displayed in Chapter I. In Figure 20, we plot 
the optimal solutions to the test network DAD problem for different defense and attack 
budgets. Figure 20, graph ‘a’ depicts the set of optimal solutions of the DAD problem 
instances for the test network by varying the defense and attack budgets on two axes, and 
displaying the corresponding optimal objective function value on the third axis. Each 
green star represents a DAD problem instance of a specific defense budget and attack 
budget. The optimal objective function values for DAD problem instances are a set of 
discrete points, since fractional values for defense budgets and attack budgets are 
meaningless. Figure 20, graph ’b’ depicts objective function value points connected with 
line segments. The line segments are for the illustrative purpose of enhancing the three 
dimensional effect of the plot, and are not meant to imply the existence of a continuous 
surface. 
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DAD Problem Instance Optimal Solutions 


DAD Problem Instance Optimal Solutions 


Test Network |... opt'mal| Test Netw0 rk |... optimal| 



Figure 20. Three Dimensional Plots of Test Network Optimal Solutions 


B. IMPLEMENTATION OF NESTED DEFENSES 

In order to implement nesting of defenses, a new set has to be introduced that 
represents budget scenarios. Budget scenarios allow for a parametric analysis of varying 
one or both budgets in the DAD model. We use omega to define a specific budget 
scenario (co) and the set of all budget scenarios (Q). The decision variables must carry a 
new superscript that identifies the budget scenario. 


Additional Sets: 

(0 efi Parameterized unknown budget scenarios 

There are at least two ways to incorporate the requirement for nested defenses in 
the DAD model. We investigate both approaches. The first method uses a block of 
constraints to force the defenses utilized in one budget scenario into the next scenario 
with a different value for the defense and/or attack budgets. The second method is to 
solve each problem instance separately in the order of the nesting strategy. We fix some 
of the defense variable values (W) from the previous problem instance for the next 
problem instance. We use the hat symbol ( A ) for a defense variable with a fixed value. 
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1. Nesting as Constraint Equations 

Implementation of nesting constraints in a parametric linear program allows us to 
examine all budget scenarios simultaneously. A new problem formulation objective 
function includes summation over all of the budget scenarios. The formulation of the 
DAD minimum cost flow problem is similar, but it now includes the new budget scenario 
superscript on all of the decision variables and budget data. There is a new constraint at 
the end of the formulation that depends upon the type of nesting strategy used. If the 
nesting strategy begins at the minimum budget, then Inequality (3.1a) is used. If the 
nesting strategy begins with maximum budget, then Inequality (3.1b) is used. If the 
nesting strategy begins at an intermediate budget, then a feasible combination of 
Inequalities (3.1a) and (3.1b) are used. 


Nesting Constraints 

W“< w ^ V(/,y) e E,d e D,o) e Cl. (3.1a) 

W t ;>W^ V(i,j)eE,deD,coen. (3.1b) 

2. Nesting by Fixing Variables 

A second method to implement nesting of defenses is to “fix” some of the defense 
variables to one or zero, depending on the starting instance of the nesting algorithm. We 
start with one DAD problem scenario of a specific defense and attack budget and solve it 
optimally. Next, take the defenses from the original instance as fixed values to a second 
DAD problem instance with the parameterized budget varied by one unit. Solve the 
second instance with the additional constraint optimally to obtain defenses in the second 
instance that are also in the first problem instance. This process repeats until all possible 
budget scenarios are solved and nested defenses are obtained. Some of the defense 
decision variables (W) change to fixed values (W), depending on the direction of the 
nesting strategy being used. Each budget scenario problem instance must be solved, one 
at a time, in the order of the nesting strategy. 
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a. Nesting Rule for Scenarios with Increasing Budgets 

First, the optimal solution for the starting point budget scenario is obtained. The 
optimal solution of the next budget scenario must contain all of the defenses chosen in 
the previous problem instance, and it may include another defense if an increase in 
defense budget pennits another defense. The defenses chosen (W) are changed from 
decision variables into fixed values of one. Next, a new problem instance is formed with 
the next scenario of increased defense and/or attack budgets. Nesting defenses under 
increasing budget scenarios can be called “fixing defenses to one” since as defenses are 
chosen in smaller budget scenarios, the value of their decision variable is fixed to one for 
larger budget scenarios. Equation (3.1c) summarizes the fixing of defense variables when 
a nesting strategy increases budgets. 


W^=\ VW£:W£=1. (3.1c) 

b. Nesting Rule for Scenarios with Decreasing Defense Budgets 

We start with the optimal solution to a DAD instance with a maximum defense 
and/or attack budget. The next problem instance has a reduction in the defense budget, 
attack budget, or both. In the next budget scenario, we fix all defense variables that are 
not selected as a part of the solution of the previous problem instance to zero. Thus, the 
only defense variables that can vary in the next problem instance budget scenario are 
those defense variables associated with the defenses that were chosen in the previous 
problem instance. The optimal solution to the new problem instance is determined, and 
the resulting defenses from that solution will be a subset of the defenses chosen from the 
starting problem instance. Nesting defenses under decreasing budget scenarios can be 
called “fixing defenses to zero” since defenses not chosen in larger budget scenarios 
cannot be chosen in smaller budget scenarios. Equation (3.Id) summarizes the fixing of 
defenses when a nesting strategy decreases budgets. 


w m+1 

yv ijd 


= 0 


VH£:JT-=0. 
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c. 


NESTED DEFENSE HEURISTIC APPROACH 


A straightforward approach to constructing a nested defense to a parameterized 
DAD problem instance is to use the fixed variable approach. We define this 
straightforward approach to constructing nested defenses as the “nested defense myopic 
greedy heuristic.” This process of obtaining nested defenses can be defined as a heuristic 
approach because there is no way of knowing if the nested defenses obtained by this 
process are the best nested defenses that the network could have. Furthermore, this 
process can be defined as a greedy heuristic because choosing the next defense variable 
to nest in the overall defense involves making the best possible improvement to the DAD 
problem instance with the inclusion of the nesting constraint (Rardin, 1998, p. 699). The 
process can also be characterized as myopic because it focuses on only one problem 
instance at a time, and it does not consider all possible budget scenarios at once. We 
present pseudo-code of a simple algorithm to implement the nested defense myopic 
greedy heuristic. 

Nested Defense Myopic Greedy Heuristic Algorithm 

Inputs: DAD problem instance network with a parameterized budget 
Outputs: Nested defenses and objective function values for all budget scenarios 

Algorithm: 

Current budget scenario = starting point problem instance 
Nested defense list = empty 

Solve DAD problem optimally for starting point budget scenario 
While unsolved parameterized budget scenarios exist: 

Append defenses from previous instance solution to nested defenses list 
Include nested defenses as a constraint to next DAD problem instance 
Increment budget scenario by varying parameterized budget by one unit 
Solve DAD problem instance for budget scenario 


Step two of the algorithm features a choice of how to start the nesting algorithm. 
The starting point of a heuristic nesting algorithm is defined as a DAD problem instance 
for a specific defense budget and attack budget. At the starting point, the DAD problem 
instance is solved without any nesting requirements. From the starting point, new 
problem instances are created by either changing the defense budget, the attack budget, or 
both budgets. The solution of those new problem instances will incorporate the defenses 

found in the prior problem instance in order for the system to have a nested defense. 
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Observation 3—1: A problem instance that is chosen as the starting point for a heuristic 
nesting algorithm has an optimal solution equal to the nested solution. 

The choice of the starting point problem instance of the heuristic nesting 
algorithm can impact the magnitude of the difference between a nested solution and an 
optimal solution for any specific instance of defenses and attacks. For example, a DAD 
problem instance with an unknown defense budget could have at least three different 
starting points. One starting point could be a minimum defense budget and the nesting 
would increase the defense budget for each successive instance. A second starting point 
begins at a maximum defense budget and nesting would decrease the budget for each new 
instance. A third starting point is an intennediate defense budget. Implementation of an 
intennediate budget starting point would begin with the optimal defense at that budget 
level and increment the budget until the maximum is reached and then return to the 
optimal intennediate defense and decrease budgets until the minimum is reached. 

As the defense and/or attack budget varies, the potential exists for a difference to 
grow between the nested defense solution and the optimal solution for different budget 
scenarios. The choice of the starting point instance has different implications for how the 
nested solution compares to the optimal solution over all possible defense and attack 
budgets. For example, consider the DAD problem on the test network where the defense 
budget is unknown, but the attack budget is fixed at three units. Table 4 summarizes the 
objective function values for nesting defenses from starting points of zero defense 
budget, maximum defense budget, and midrange defense budget. The optimal solution 
for each number of defenses is shaded green. Table 4 shows that the starting point 
instance for nesting defenses can result in different objective function values. 


Table 4. Effect of Defense Budget Starting Point on Nested Defense Solution 


Objective Function Values 
(Attack Budget = 3) 

Defense Budget 

0 

1 

2 

3 

4 

5 

Optimal Solution (Not Nested) 

87 

80 

64 

63 

47 

41 

Nested Defense: Start at minimum defense budget 

87 

80 

67 

64 

49 

43 

Nested Defense: Start at maximum defense budget 

87 

87 

70 

65 

47 

41 

Nested Defense: Start at midrange defense budget 

87 

87 

64 

63 

55 

47 
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Similarly, different starting points can also result in different nested defenses 
chosen for a particular defense and attack budget scenario. Table 5 shows the edges 
chosen as nested defenses for each different nesting start point and compares them with 
the optimal solution, which is shaded green. Any column in Table 5 shows that the nested 
defenses chosen depend on the starting point instance. 


Table 5. Effect of Defense Budget Starting Point on Nested Defenses Chosen 


Defenses Chosen 
(Attack Budget = 3) 

Defense Budget 

0 

1 

2 

3 

4 

5 

Optimal Solution 
(Not Nested) 

None 

(2, 7) 

(5,10) 

(5, 10) 
(10,11) 

(3,8) 
(10,11) 
(10, 13) 

(3,8) 

(9, 13) 
(10,11) 
(10, 13) 

Nested Defense: 

Start at minimum 
defense budget 

None 

(10, 13) 

(10, 13) 
(7, 8) 

(10, 13) 
(7, 8) 
(10,11) 

(10, 13) 
(7, 8) 
(10,11) 
(2,7) 

(10, 13) 
(7, 8) 
(10,11) 
(2,7) 

(9, 13) 

Nested Defense: 

Start at maximum 
defense budget 

None 

None 

(3,8) 

(3,8) 
(10, 13) 

(3,8) 
(10,11) 
(10, 13) 

(3,8) 

(9, 13) 
(10,11) 
(10, 13) 

Nested Defense: 

Start at midrange 
defense budget 

None 

None 

(5,10) 

(5, 10) 
(10,11) 

(5, 10) 
(10,11) 
(7, 8) 

(5, 10) 
(10,11) 
(7, 8) 
(10, 13) 


1. Heuristic Starting Point Assumption 

We assume a nested defense has a starting point scenario that can be computed by 
finding the optimal solution to a DAD problem instance with a known defense and attack 
budget. Heuristic nested defense strategies assume that the first budget scenario will have 
the nested defense equal to the optimal defense. For notation, we will use a star to signify 
the optimal solution to a DAD problem instance. Z refers to the optimal objective 
function value and W* refers to the optimal defenses chosen for a DAD problem instance 
of a specific defense and attack budget. Equation (3.2) states the myopic greedy heuristic 
starting point scenario assumption. 
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Nested Defense Heuristic Starting Point Scenario Assumption 
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2. Parameterized Defense Budget and Known Attack Budget 

When only the defense budget is subjected to parametric analysis, we assume that 
the attack budget is known. This situation occurs when the defender does not know the 
defense budget, but must decide on the defenses for the system. The defense budget is 
revealed after defense decisions are made. The defender must make a prioritized list of 
the best defenses for the system. The defender chooses a starting point budget scenario 
for heuristic nesting of prioritized defenses. The starting point instance could be 
minimum defense budget, maximum defense budget, or somewhere in between. 

Figure 21 shows how the objective function value of heuristic nested defenses 
compares with the optimal objective function values for the test network. Figure 21 gives 
the ability to visualize the effect of nested defenses in comparison to optimal defenses. 
Problem instance budget scenarios are displayed on two axes, and objective function 
value is the third axis. The corresponding objective function values are of the nested 
defense and optimal defense are graphed as pairs of different points. The distance 
between each pair of points gives the analyst a way to show a decision maker that nesting 
defenses appears different than the optimal defense in terms of overall system cost. 

In Figure 21, the attack budget is held constant while the defense budget is 
allowed to vary from three different starting points. The first graph starts at zero defense 
budget and increases the defense budget one unit at a time. The second graph starts at the 
maximum defense budget of five units and decreases the defense budget by one unit. The 
third graph starts with a midrange defense budget of three units and increments the 
defense budget in both directions. The green stars represent the optimal (non-nested) 
objective function values. The optimal values are connected by line segments to enhance 
the three dimensional effect of the graph. The blue dots represent the nested solution 
objective function values. The distance between the green stars and the blue dots 
represent the cost difference between nested and optimal defenses. 
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Nested Solutions By Varying Defense 


Nested Solutions By Varying Defense 




Nested Solutions By Varying Defense 



(a) Starting instance of minimum budget (b) Starting instance of maximum budget 

(c) Starting instance of midrange budget 

Figure 21. Nesting with Parameterized Defense Budgets at Various Start Points 


In the first graph of Figure 21, nesting of defenses begins at zero defense budget. 
To visualize the effect of increasing defense budgets in the first graph, the reader can 
follow how the blue dots deviate from the green stars from left to right for any known 
attack budget. We can see in the first graph that the nested defense solution begins to 
diverge from the optimal solution when the defense budget is increased to two for all 
values of attack budgets. The biggest deviations between optimal and nested solutions 
appear to occur when the attack budget is fixed at larger values and the defense budget is 
at a midrange value. The deviations from optimality can be explained because the 
addition of defenses by one budget unit only allows for the protection of existing edges. 
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Adding a new edge to the network costs two units, and changing the budget by one unit at 
a time means that adding a new edge is unaffordable. The new edge is unaffordable 
because only one new unit of defense budget is ever available, and a new edge would 
require two new units of defense budget. Therefore, a new edge can never be considered 
as a defense when defense budgets are only increased by one unit at a time. 

In the second graph of Figure 21, nesting of defenses begins at the maximum 
defense budget of five units. To visualize the effect of decreasing defense budgets in the 
second graph, the reader can follow how the blue dots deviate from the green stars from 
right to left for any fixed attack budget. The largest deviations between the nested value 
and the optimal value appear to occur at defense budget of two. This deviation can be 
explained because the optimal solution at two defenses will choose to add a new edge as 
a defense, which has a cost of two units. But, the nested defense that is found with a 
starting point of five units does not have any new edges as defenses, but rather only 
protected existing edges. Recall that protecting an existing edge only costs one unit. So, 
as defenses are removed one by one as the defense budget decreases, the nested solution 
will deviate from the optimal solution because the new edges are not available to be 
utilized as defense. 

In the third graph of Figure 21, nesting of defenses begins at the intermediate 
defense budget of three units. To visualize the effect of both increasing and decreasing 
defense budgets in the third graph, the reader can follow how the blue dots deviate from 
the green stars by starting at the middle of the graph and moving both from right to left 
and left to right for any known attack budget. In this graph we see the largest deviations 
when the defense budget is one for most of the fixed attack values. Again, the large 
deviation can be explained because of how defenses are priced. In most of these cases a 
new edge defense is present as the only defense when the defense budget is two units. 
When the defense budget is reduced to one, the new edge defense is no longer affordable, 
and the system is left defenseless against one attack. The defenseless system against one 
attack explains the higher nested solution values. 

In each of the graphs of Figure 21, we observe that deviations from optimality do 

not monotonically grow larger as the as the budget scenarios move away from the anchor 
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point. We believe the largest deviations in all nesting strategies occur when the optimal 
defense can employ a new edge as a defense, but the nested defense approach cannot. 
Since the nested defense cannot afford to add a new edge as the defense budget is varied 
by one unit, the opportunity for large deviations between the solutions occurs. 

3. Known Defense Budget and Parameterized Attack Budget 

We use the term persistent defenses to describe a nested defense DAD problem 
instance where the defense budget is known in advance, but the attack budget is subject 
to parametric analysis. In this type of analysis, the defender has to choose a defense to 
withstand an unknown number of attacks. For the heuristic approach, the defender must 
choose a starting point instance for the nesting of defenses. The starting point instance 
can either be a minimum, maximum, or intermediate attack budget. 

The concept of nested defenses with a known defense budget and a parameterized 
attack budget is different than the type of nesting in the previous section. Here, the 
defenses chosen at the starting point instance do not change over the parameterized attack 
budget instances because the defense budget is fixed. The nesting requirement does not 
allow any defense to be swapped out for a different defense as attack budget scenarios 
change. This fundamental difference in the nature of what the term nested defense means 
when the defense budget is fixed leads us to introduce the persistent defense tenninology 
in order to avoid confusion. 

To understand the effect of persistent defenses, consider the test network and a 
nested defense requirement for an unknown number of attacks when the defense budget 
is known to be four units. Tables 6 and 7 show the objective function values and the 
defenses chosen for a persistent defense from starting points of zero attack budget, 
maximum attack budget, and midrange attack budget. The non-nested optimal solutions 
are shaded in green to provide a point of comparison in Tables 6 and 7. 
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Table 6. Effect of Attack Budget Starting Point on Persistent Defenses 


Objective Function Values 
(Defense Budget = 4) 

Attack Budget 

0 

1 

2 

3 

4 

5 

Optimal Solution (Not Nested) 

20 

23 

37 

47 

58 

65 

Persistent Defense: Start at minimum attack budget 

20 

23 

37 

62 

79 

80 

Persistent Defense: Start at maximum attack budget 

25 

33 

47 

49 

64 

65 

Persistent Defense: Start at midrange attack budget 

23 

27 

45 

47 

62 
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Table 6 shows that the objective function value for the persistent defenses 
matches the optimal non- nested value when the number of attacks is equal to the starting 
point. However, persistent defenses may become suboptimal once the attack budget 
changes to a level different from the start point. Table 7 provides the detail to show that 
“persistent” defenses do not change much when the defense budget is a constant. From 
the starting point of zero attack budget, the same defenses are chosen for any level of 
attack budget. The same effect is seen with the starting point of attack budget three units. 


Table 7. Effect of Attack Budget Starting Point on Persistent Defenses 


Defenses Chosen 
(Def. Budget=4) 

Attack Budget 


0 

1 

2 

3 

4 

5 

Optimal 

(3,8) 

(3,8) 

(3,8) 

(3,8) 

(1,5) 

(2,7) 

(Not Nested) 

(5,10) 

(5,10) 

(5,10) 

(10,11) 

(5,10) 

(7,8) 





(10, 13) 

(10,11) 

(10,11) 







(10,13) 

Nest start point: 

(3,8) 

(3,8) 

(3,8) 

(3,8) 

(3,8) 

(3,8) 

Minimum Attack 

(5,10) 

(5,10) 

(5,10) 

(5,10) 

(5,10) 

(5,10) 

Budget 







Nest start point: 

None 

None 

(2,7) 

(2,7) 

(2,7) 

(2,7) 

Maximum Attack 



(7,8) 

(7,8) 

(7,8) 

(7,8) 

Budget 




(10,11) 

(10,11) 

(10,11) 





(10,13) 

(10,13) 

(10,13) 

Nest start point: 

(3,8) 

(3,8) 

(3,8) 

(3,8) 

(3,8) 

(3,8) 

Midrange Attack 

(10,11) 

(10,11) 

(10,11) 

(10,11) 

(10,11) 

(10,11) 

Budget 

(10, 13) 

(10,13) 

(10, 13) 

(10, 13) 

(10, 13) 

(10,13) 


There is an anomaly in Table 7 when the starting point is maximum budget 
because all of the defenses are not retained across the parametrization of attack budgets. 
For attack budgets of zero, one or two units, all of the defenses chosen at the starting 
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point are not selected. A simple explanation for this anomaly is that the defenses chosen 
in Table 7 produce an equivalent objective function value as the attack budget is 
decremented by one unit at a time. In the starting instance of an attack budget of five 
units, only existing edges are protected as defenses. There are instances where not 
protecting all of these existing edges produces an equivalent objective function value. To 
see this more clearly, consider the instance of defense budget four and attack budget two, 
depicted in Figure 22. If two existing edges are defended, the objective function value is 
47. If four existing edges are defended, the objective function value is also 47. The worst- 
case attacks are different for these equivalent defense choices, but the resulting objective 
function values are the same. It is not obvious in Figure 22 that these two defenses are 
equivalent, since no nodes are isolated from flow in the system on the left, but nodes 1, 5 
and 9 are isolated in the system on the right. These two systems are equivalent because 
the transport costs for the system on the left offset the penalties for unmet demand at 
nodes for the system on the right. 


Defense Budget = 4, Attack Budget = 2 Defense Budget = 4, Attack Budget = 2 




(a) Equivalent Persistent Defense 


(b) Complete Persistent Defense 


Figure 22. Equivalent Persistent Defenses on the Test Network 


The other interesting effect seen in Tables 6 and 7 is the persistent defense is also 
optimal when there are zero, one or two attacks with a starting point instance of minimum 
attack budget. The same defense is optimal for these different attack budgets. 
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The next series of graphs show how the objective function value of persistent 
defenses compares with the optimal objective function values. In Figure 23, the defense 
budget is held constant while the attack budget is allowed to vary from three different 
starting points. The first graph starts at zero attacks and increases the attack budget one 
unit at a time. The second graph starts at five attacks and decreases the attack budget by 
one unit. The third graph starts with three attacks and increments the attack budget in 
both directions. The green stars represent the optimal (non-nested) objective function 
values. The optimal values are connected by line segments to enhance the three 
dimensional effect of the graph. The red squares represent the objective function values 
for the system with persistent defenses. The distance between green stars and red squares 
represent the cost difference between the persistent defense and the optimal defense. 
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Persistent Defenses By Varying Attack 


Persistent Defenses By Varying Attack 




Persistent Defenses By Varying Attack 



(a) Starting instance of minimum budget (b) Starting instance of maximum budget 
(c) Starting instance of midrange budget 

Figure 23. Persistent Defenses with Parameterized Attack Budgets 

In the first graph of Figure 23, persistence of defenses begins at an attack budget 
of zero. To visualize the effect of increasing attack budgets in the first graph, the reader 
can follow how the red squares deviate from the green stars from the front to the back for 
any fixed defense budget. We can see in the first graph that the nested defense solution 
begins to diverge from the optimal solution when the defense budget is increased to two 
units. The biggest deviations between optimal and persistent defense appear to occur 
when the defense budget and attack budget are large values. The large deviations from 
optimality can be explained at these instances because the persistent defenses are optimal 
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for zero attacks, and they remain the same for all attack budgets. These defenses are less 
likely to be optimal when more attacks are applied to the network, and the objective 
function suffers more and more as the number of attacks against these defenses increases. 

In the second graph of Figure 23, persistence of defenses begins at the maximum 
attack budget of five units. To visualize the effect of decreasing attack budgets in the 
second graph, the reader can follow how the red squares deviate from the green stars 
from the back of the graph to the front of the graph for any fixed defense budget. We can 
see in the second graph that the magnitude of the deviations from optimality appears to 
be smaller overall than the first graph. The biggest consistent deviations between optimal 
and persistent defense appear to occur for defense budgets of four and five. An 
explanation for this behavior is that the persistent defense is optimal only when there are 
five attacks, and less attacks on the system with the same defenses result in larger costs 
than optimal defenses. 

In the third graph of Figure 23, persistence of defenses begins at a midrange 
attack budget of three units. To visualize the effect of increasing and decreasing attack 
budgets in the third graph, the reader can follow how the red squares deviate from the 
green stars from the middle of the graph to the back of the graph and again from the 
middle of the graph to the front of the graph for any fixed defense budget. We can see in 
the second graph that the magnitude of the deviations from optimality appears to be 
smaller overall than the first graph. The biggest consistent deviations between optimal 
and persistent defense appear to occur for attack budgets of two and four units for almost 
all fixed values of defense budgets. All of the deviations appear to be fairly small without 
an obvious explanation. 

4. Parameterized Defense and Attack Budgets 

Nested defenses for the DAD problem are more complicated when both the 
defense and attack budgets are unknown. We believe this situation is the most difficult 
and realistic type of scenario that an analyst can face when a prioritized list of nested 
defenses is required. First, we show that the analyst should not use the techniques of the 
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previous two subsections because the results will be inconsistent. Second, we propose a 
strategy to parameterize both the defense and attack budget to achieve nested defenses. 

a. Use of Previously Seen Nesting Methods is Inconsistent 

When both the defense and attack budgets are unknown, the defender should not 
use one of the previous nesting strategies. Nesting strategies which only parametrize one 
budget may lead to inconsistent nested solutions when both attack and defense budgets 
are uncertain. For example, the analyst could pretend that he or she knows the defense 
budget and then vary the attack budget. Then the analyst could repeat the process for each 
possible defense budget level to obtain a set of nested defenses. Alternatively, the analyst 
could pretend that the attack budget is known and then vary the defense budget. Next, the 
analyst would repeat the process for every possible attack budget and obtain a set of 
persistent defenses. Both of these approaches are not guaranteed to produce a similar set 
of solutions that are completely nested across all budget scenarios. Both of these nesting 
methods guarantee a nested solution along one axis (defense or attack budget), but it does 
not guarantee that a solution set will be nested on the other axis. An example can be seen 
in the test network. 

In the test network we see that the nested solution for a defense budget of two 
units and an attack budget of three units can produce two different nested defense 
solutions with different objective function values if the nesting strategy is changed, even 
when similar nest starting points are used. The nested solution obtained by varying the 
defense budget and holding the attack budget constant yields an objective function value 
of 67 and a defense plan to defend two existing edges. But, when the attack budget is 
varied and the defense budget is held constant, the nested solution yields an objective 
function value of 64 and a defense plan to build one new edge. Tables 8 and 9 summarize 
the different results that are obtained when only one budget is parameterized. In Table 9, 
note that only one defense is chosen with the defense budget of two units because the cost 
of adding edge (5, 10) in the test network is two units. 
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Table 8. Nested Defense Obtained by Varying Defense Budget 


Defense and Attack 
Budget Unknown 

Defense Budget 

0 

1 

2 

Attack Budget = 3 

Nest Start: Minimum 
Defense Budget 

Objective = 87 
Defend: None 

Objective = 80 
Defend: (10, 13) 

Objective = 67 
Defend: (10, 13), (7, 8) 


Table 9. Nested Defense Obtained by Varying Attack Budget 


Defense and 

Attack Budget 

Unknown 

Attack Budget 

0 

1 

2 

3 

Def. Budget = 2 
Nest Start: Min. 
Attack Budget 

Objective = 22 
Defend: (5, 10) 

Objective = 26 
Defend: (5, 10) 

Objective = 47 
Defend: (5, 10) 

Objective = 64 
Defend: (5, 10) 


In Tables 8 and 9, the scenarios shaded in orange both have the same defense 
budget of two and attack budget of three, but the objective function values and defenses 
are different. When both the defense budget and attack budget are uncertain, the analyst 
cannot arbitrarily choose to hold one budget constant and incrementally change the other 
budget. The arbitrary choice of which budget to hold fixed and which to vary affects both 
the objective function value and the defense plan obtained. 

b. V Nesting Method 

A different method is needed to produce nested solutions to DAD problem 
instances under uncertain defense and attack budgets. This method must be able to 
produce defenses that are nested and also account for the uncertainty in both the defense 
and attack budgets. We have developed a nesting algorithm called V nesting that can 
account for both types of budget uncertainty. Instead of nesting by either holding the 
defense or attack budget constant, this method increases both budgets simultaneously. 
This algorithm chooses a series of successive start points called anchor points and builds 
nested defenses along each uncertain budget axis. The base of the V is the anchor point 
instance, and each arms of the V is the nested instance resulting from varying one of the 
budget parameters. This method ensures that each successive anchor point has nested 
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defenses from the previous anchor point as well. Since each axis builds nested defenses 
from its respective anchor point, the group of problem instances that are defined by a 
particular anchor point resembles a “V” shape when plotted on a graph with the defense 
budget and attack budget as the axes. We observe that V nesting is not the only possible 
strategy for nesting defenses when both defense and attack budget are subject to 
parameterization. 

The V nesting algorithm works in the following fashion. Assume that both the 
defense budget and attack budget are not known to the analyst. The analyst chooses a 
starting point scenario for nesting, such as minimum defense and attack budgets. The 
starting point scenario serves as an anchor instance to nest defenses for similar instances. 
We defense a similar instance to be a DAD problem instance that has either the same 
defense budget or attack budget to the anchor problem instance. From the starting point 
solution, nested defenses to similar problem instances are obtained in two steps. The first 
step is to generate new problem instances by holding the attack budget constant, and 
increase the defense budget incrementally by one unit to the maximum parameter value. 
Each new problem instance is solved with the nested defense requirement. The second 
step is to generate more new problem instances by holding the defense budget at 
minimum and increasing the attack budget by one unit until the maximum attack budget 
is reached. No new defenses are added in the second step, but the new problem instances 
will have a defense that is the same as the starting point defense. Thus, all similar 
problem instances that either increase the defense budget or the attack budget, but not 
both, must have a nested defense in comparison to the anchor instance. Next, another 
anchor problem instance is created by taking the last known anchor point and increasing 
the defense and attack budgets by one unit and obtaining a nested defense based on the 
previous anchor. The process repeats at the new anchor point. Anchor points are 
successively created until all defense budget and attack budget combinations have been 
evaluated. The pseudo-code of the V-nesting algorithm summarizes how the algorithm 
forms a nested defense. 
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“V” nesting algorithm (increasing defense & attack budget) 

Inputs: 

DAD minimum cost flow network with parameterized defense & attack budgets 
Defense level = minimum defense budget (zero for test network) 

Attack level = minimum attack budget (zero for test network) 

Outputs: Objective function values and nested defenses for all budget scenarios 

Algorithm: 

While defense level < maximum budget OR attack level < maximum budget: 
Solve “Anchor” DAD problem instance 
Append defenses obtained to nested defense list 
While defense level < maximum defense budget: 

Increment defense level by one unit 
Solve “similar” DAD problem instance 
Append defenses obtained to nested defense list 
Reset defense level = anchor defense budget 
Reset nested defense list to anchor nest defense list 
While attack level < maximum attack budget: 

Increment attack level by one unit 
Solve “similar” DAD problem instance 
Append defenses obtained to nested defense list 
Reset attack level = anchor defense budget 
Reset nested defense list to anchor nest defense list 
Create new “anchor” DAD problem instance: 

Reset nested defense list = nested defense list for last anchor point 
Increment attack level by one unit 
Increment defense level by one unit 


Figure 24 illustrates how successive problem instances are created for different 
starting point instances of the V nesting algorithm. The axes of each plot are defense 
budget and attack budget levels. Each point on the grid represents a DAD problem 
instance for a specified defense budget and attack budget. The points with assigned letters 
represent the anchor points for nesting of defenses. All points of the same color have a 
nested defense. Also, the assigned letter points have nested solutions from each other. 
The colored arrows describe how nested defenses successively build from each anchor 
point. The black arrows show how each anchor point is nested from a previous anchor. 
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V-nest Strategy Start at Minimum Defense & Attack Budgets 


V-nest Strategy Start at Maximum Defense & Attack Budgets 




V-nest Strategy Start at Midrange Defense & Attack Budgets 



(a) Starting instance of minimum budget (b) Starting instance of maximum budget 
(c) Starting instance of midrange budget 

Figure 24. Nesting Strategies for Parameterized Defense and Attack Budgets 


The first plot of Figure 24 helps to explain the V-nesting strategy from a starting 
point of minimum defense and attack budgets. First, we start at point A, which represents 
a DAD problem instance of zero defense and attack budget. The optimal solution to this 
instance is the starting point for the nesting of all defenses. Next, the horizontal red arrow 
depicts that nested solutions for problem instances of zero attacks and various defenses 
are determined by increasing defense budget by one unit, with each solution nested by the 
previous solution. The vertical red line depicts that nested solutions for zero defenses are 
obtained by increasing the number of attacks by one unit, and holding the defense budget 
at zero. Obviously, there are no defenses chosen for any of these instances, since there is 
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no defense budget available. In order to obtain a nested solution at point B, we follow the 
nesting black line from the instance at point A to the instance of one defense and zero 
attacks and then increase the defense budget by one unit from that instance to obtain the 
new nested defense instance at point B. The process repeats itself at point B to form all of 
the green problem instances that have nested solutions that are nested from the instance at 
point B. Nested defenses for problem instances derived from points C, D, E and F are 
determined in the same fashion. Each problem instance of an equal number of defenses 
and attacks then has a nested solution set. Each of these instances becomes a base for a V 
shape of problem instances that either vary the attack or defense budgets. Nested 
solutions are built from these base instance solutions to complete the nesting strategy. 

The V-nesting strategy for a starting point instance of maximum defense and 
attack budgets is shown in the second plot of Figure 24. This nesting start point requires a 
few modifications to the previously discussed algorithm. The first anchor point would be 
initialized to maximum defense and attack budgets. The initial nested defenses list 
contains the defenses utilized in the optimal solution to the anchor point budget scenario. 
As successive DAD problem instances are solved, the nested defense list has items 
removed instead of appended. The starting point is at problem instance A on the second 
plot. The development of nested defenses from point A is derived in a similar fashion. In 
order to nest from anchor point A to anchor point B, the nested defense for one less 
defense budget unit is also nested as the attack budget is reduced by one unit. The black 
arrows show how the nesting is performed. The process is repeated for anchor points B 
through F to complete the V-nesting strategy. 

The V-nesting strategy is slightly more complicated when starting from a 
midrange defense and attack budget. The third plot of Figure 24 shows how the nesting 
strategy grows from a midrange primary anchor point. The first anchor point A is solved 
optimally. The increasing budget nesting strategy is used to determine all problem 
instances from anchor points A through C. The decreasing budget nesting strategy is used 
for problem instances that can be defined in terms of anchor points A, D E, and F. 
However, the problem instances represented by the yellow dots in the third plot are not 
defined in terms of either of these nesting strategies. In order to have nested defenses at 
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these instances, we define additional anchor points from previously defined problem 
instances that are nested from the first anchor point A. These additional anchor point 
problem instances are labeled G1 through G5. Each of these five anchor point instances 
has a nested defense from the first anchor point A. From each of the G anchor points the 
defense budget is increased or decreased, as necessary, to define the remaining problem 
instances. All instances have a defense that is nested in terms of the starting point 
problem instance of anchor point A. 

The next three graphs show how the objective function value of V-nested 
defenses compares with the optimal objective function values. In Figure 25, the effect on 
the objective function value of nesting defenses with a parameterized defense and attack 
budgets is compared with optimal objective function values. The defense and attack 
budgets are allowed to vary from three different starting points. The first graph starts at 
zero defense and attack budgets. The second graph starts at defense and attack budgets at 
a maximum of five units. The third graph starts at a midrange defense and attack budget 
of three units each. The green stars represent the optimal (non-nested) objective function 
values. The optimal values are connected by line segments to enhance the three 
dimensional effect of the graph. The magenta diamonds represent the nested defense 
solution objective function values. The vertical distances between green stars and 
magenta diamonds represent the objective function value difference between the nested 
defense and the optimal defense. 
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Nested Solutions for Uncertain Defense & Attack 



(a) Starting instance of minimum budget (b) Starting instance of maximum budget 
(c) Starting instance of midrange budget 

Figure 25. Nesting with Parameterized Defense and Attack Budgets 

In the first graph of Figure 25, nesting of defenses begins at a defense and attack 
budget of zero. To visualize the effect of increasing defense and attack budgets in the first 
graph, the reader can follow how the magenta diamonds deviate from the green stars 
from the bottom left corner of the graph to the top right corner of the graph. We can see 
in the first graph that the nested defense solution begins to diverge from the optimal 
solution when the attack budget increases, but the bigger deviations occur when the 
defense budget is increased to two. This can be explained because at a defense budget of 
two units, the optimal solution can add new edges as defense to the system. But, the V- 
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nesting strategy cannot use these defenses because it only increments defenses by one 
unit at a time. Since only one new unit of defense budget is ever available to the 
algorithm, adding a new edge is unaffordable and never selected. 

In the second graph of Figure 25, nesting of defenses begins at the maximum 
defense budget and attack budget of five units. To visualize the effect of decreasing 
defense and attack budgets in the second graph, the reader can follow how the magenta 
diamonds deviate from the green stars from the top right corner to the bottom left corner 
of the graph. The second graph shows that in general terms, the V-nesting approach is a 
very close to the optimal solution when beginning from a starting point of maximum 
budgets. However, we believe that a unique aspect of the problem instance allows this 
method to have the smallest deviation. The optimal solution of the maximum defense and 
attack budget problem instance involves defending five existing edges, and defending an 
existing edge costs one unit. Thus, removing one unit of budget at a time will result in 
defending a corresponding amount of existing edges to the parameterized defense budget. 
The added edges costing two defense units do not appear in the anchor scenario for this 
problem instance, so large deviations from optimality do not occur. 

In the third graph of Figure 25, nesting of defenses begins at a defense and attack 
budget of three units. To visualize the effect of changing defense and attack budgets in 
the second graph, the reader can follow how the magenta diamonds deviate from the 
green stars from the center to the bottom left corner of the graph and again from the 
center to the top right corner of the graph. We can see in the third graph that deviations 
between the nested and optimal solutions are very small from the starting point to the 
minimum budget levels. However, deviations between the nested and optimal solutions 
do develop from the middle and are fairly substantial when the defense budget or the 
attack budget are at their maximum values of five units. 

D. NESTED DEFENSE ALGORITHM STEP SIZE 

Next, we change an assumption on how a nesting of defenses operates. Previously 
we assumed that nesting of defenses required an incrementing of the parameterized 
budgets by one unit. We show that this definition of nesting can be problematic. We will 
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broaden the definition of nesting so that the incremental change of budgets does not have 
to be by one unit. The size of the incremental change of budget can be referred to as the 
“step size” of the nesting requirement. Define a nesting step size to be a nesting of 
defense budget by an increment other than one. For example, nesting could occur by 
every two defense budget units, so that the five best defenses includes the three best 
defenses, and the three best defenses includes the one best defense. Generally, a nesting 
requirement of k budget units would mean that the k best defenses would be a subset of 
the 2k best defenses, which would also be a subset of the 3k best defenses, and so on. 

We want to examine the step size between nested defenses because not all 
defenses have the same cost in the test network. Defending an existing edge costs one 
unit of defense budget, but adding a new edge to the network costs two defense budget 
units. We are never be able to add a new edge to the network if we use a nesting strategy 
that adds to the defense budget one unit at a time. Since we only have one more unit of 
budget available, the only option available is to defend another existing edge. 

To illustrate why the use of a nested step size of one defense can be problematic, 
consider an example from the test network using the myopic greedy heuristic algorithm. 
We will consider nesting strategy of increasing defenses, and use the instance of defense 
and attack budgets of one unit as a starting point. The optimal solution to the DAD 
problem instance is to defend the existing edge (10, 13) with an objective function value 
of 32. In order to obtain the nested defense for the instance of defense budget of two and 
attack budget of one, the defense of edge (10, 13) must be included in the solution. The 
best feasible nested defense solution for defense budget of two and attack budget of one 
is to defend edges (10, 13) and (2, 7), with an objective function value of 30. However, 
the optimal solution for the defense budget of two and attack budget of one problem 
instance is to add new edge (5, 10) with an objective function value of 26. The problem 
that can be seen in the one step nesting of defenses approach is that it would be 
impossible for the nesting algorithm to ever even consider building new edge (5, 10) 
because it has a defense cost of 2 units. When the defense budget is increased from one 
unit to two units, there is actually only one new unit of defense budget that can be used, 
since the nesting requirement of defending edge (10, 13) requires the consumption of one 
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unit of defense budget. Therefore, the nesting algorithm can only choose a second 
defense that costs one unit of defense budget. The only defense options available in the 
test network that cost one unit are defending existing edges. A nesting algorithm with a 
step size of one is forced to exclude adding new edges, since this type of defense has an 
unaffordable cost of two units. Since the step size of one nesting algorithm cannot 
consider the defense that leads to optimal solution for the defense budget of two and 
attack budget of one problem instance, it is impossible for it to obtain the optimal 
solution. The plots of Figures 26 show the nested and optimal solutions on the test 
network. A more general statement from this example is given in an observation. 

Observation 3-2: A nested solution algorithm that has a step size smaller than the cost of 
any particular defense option cannot ever consider that particular defense option for a 
feasible solution, except during the anchor point budget scenario. 


Defense Budget = 1, Attack Budget = 1, Nesting Step Size = 1 


Defense Budget = 2, Attack Budget * 1, Nesting Step Size = 1 




— Nested Defense 

- Optimal Defense 

X Optimal Attack 


(a) Initial Nested Solution is Optimal 


(b) Nesting Excludes Optimal Solution 


Figure 26. Effect of Budget Step Size on Nested Defense 


In order to prevent the situation in the Figure 26, a nesting solution should have a 
minimum defense budget step size that can allow the choice of any defense option. In the 
case of the test network, defending existing edges costs one unit and adding new edges 
costs two units, so the minimum step size should be two units of defense budget. Notice 
that the minimum step size of the defense budget has nothing to do with the minimum 
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step size of the attack budget. But, a similar problem could exist if attacking different 
items in the system had different costs to the attacker. In that case, then the minimum step 
size in the attack budget should be equal to the cost of the largest attack, so that every 
attack could be considered. 

In Figure 27, the effect on the objective function value of nesting defenses with a 
parameterized defense budget and a known attack budget is compared with optimal 
objective function values with a defense budget step size of two units. The number of 
attacks are held constant while the number of defenses is allowed to vary from two 
different starting points. The first graph starts at defense budget of one and increases the 
defense budget two units at a time. The second graph starts at a maximum defense budget 
of five units and decreases the defense budget by two units. The green stars represent the 
optimal (non-nested) objective function values. The optimal values are connected by line 
segments to enhance the three dimensional effect of the graph. The blue dots represent 
the nested solution objective function values. The vertical distances between the green 
stars and the blue dots represent the objective function difference between the nested 
defense and the optimal defense. 


Defense Budget = 1, Attack Budget = 1, Nesting Step Size = 1 


Defense Budget = 2, Attack Budget * 1, Nesting Step Size = 1 



— Nested Defense 
X Optimal Attack 


- Nested Defense 

■ Optimal Defense 
X Optimal Attack 


(a) Starting instance of one defense unit (b) Starting instance of five defense units 


Figure 27. Nested Defenses for a Two Unit Step Size 
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In the first graph of Figure 27, nesting of defenses begins at a defense budget of 
one unit. To visualize the effect of increasing defense budgets in the first graph, the 
reader can follow how the blue dots deviate from the green stars from left to right for any 
fixed attack budget. We can see in the first graph that the nested defense solution almost 
perfectly matches the optimal solution as the defense budget is increased from one to 
three units for every instance of known attack budgets. There is only a small difference 
between the nested solution and the optimal solution as the defense budget is raised again 
from three units to five units for most instances of fixed attack budgets. In general, it 
appears that the use of a larger step size makes the nested defense almost as good as the 
optimal defense. 

In the second graph of Figure 27, nesting of defenses begins at a maximum 
defense budget of five units. To visualize the effect of decreasing defense budgets in the 
second graph, the reader can follow how the blue dots deviate from the green stars from 
right to left for any fixed attack budget. We can see in the second graph that the nested 
defense is a nearly perfect match to the optimal defense when the defense budget is 
decreased from five to three units. When the defense budget is lowered again from three 
units to one unit, the nested defense is a perfect match to the optimal solution in all but 
one instance. The only deviation between the nested defense and the optimal defense 
occurs when the known attack budget is two units. Again, it appears that the use of a step 
size greater than one makes the nested defense almost as good as the optimal defense. 

The shortcoming of this approach is that some problem instances are not defined 
because the defense budget was skipped by the larger step size. It is possible that in a 
scenario where the defense budget is uncertain, that a defense budget of four is realized, 
but the nesting analysis only covers defense budgets of one, three and five. The action 
that should be taken by an analyst in this situation is unclear. 

The prioritized list gives the defenses that should be chosen for the next lower 
defense budget. We recommend the implementation of those defenses in this case. It 
would be possible to have no extra defenses and leave the remaining portion of the 
defense budget unused. This course of action is most likely suboptimal since an 

additional defense may force the attacker to change their plans. The other course of 
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action would be to use the defenses chosen in the prioritized list for the next lowest 
defense budget, and then choose one more defense to completely exhaust the known 
defense budget through another round of analysis. 

It is unnecessary to perform an analysis of the effects of step size for persistent 
defenses when the defense budget is known in advance and the attack budget is unknown 
on the test network. Recall that in our test network all attacks have an equal cost of one 
unit. There are no attacks that have costs greater than one, so there is no need to undergo 
an investigation of larger step sizes of persistent defenses, since all possible attacks can 
be considered with a step size of one unit of attack budget. 

E. NESTED DEFENSE DISTANCE FROM OPTIMALITY MEASUREMENT 

When considering how to assess the optimality costs of a nested defense to a 
DAD problem instance, a methodology to measure the distance between the nested 
defenses and the optimal defenses is necessary. In our analysis so far, we have seen how 
to graphically compare nested solutions to optimal solutions for all budget scenarios. 
Some insight can be gained from looking at plots of nested defenses and optimal defenses 
for all budget scenarios. But, the graphs presented in the last section do not provide 
conclusive proof that one nesting strategy is preferable to another. 

We desire one simple number as an assessment of the quality of the prioritized list 
of nested defenses. We need to measure a distance from optimality for a nested set of 
defenses to a DAD problem instance. The concept of measuring the cost of nested 
defenses has been touched upon briefly in the literature. Koc and Morton define the “cost 
of prioritization” as the “percentage difference of the optimal prioritization solution from 
the wait-and see solution” (2015, p. 591). The wait and see solution refers to the optimal 
solution without a prioritized list of nested defenses. We examine five different methods 
to measure the cost of prioritization. 

1. Vector Analysis 

The nested defense objective function values for parameterized defense and/or 
attack budget scenarios can be formed into a vector. Similarly, the corresponding optimal 
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non-nested objective function values for these parameterized budget scenarios can also be 
formed into a vector. We consider the optimal non-nested solution to the problem as a 
common point of reference or zero vector to compare against any nested defense solution 
vector. We define the difference vector as the vector of differences between the optimal 
zero vector and the nested solutions vector. The goal of the vector nonn analysis is to 
determine which nesting strategy is the closest to the optimal solution when a choice of 
nesting strategies are available to an analyst. 

The difference vector gives the detail of how far each nested solution is from the 
optimal solution. All of the parametrized budget scenarios are captured as elements in the 
difference vector. Vector norms can be computed on the difference vector to give a one 
number comparison of a nested solution strategy with the optimal solution. Leon (2010, 
p. 238) defines common vector norms. The 1-norm is the sum of the absolute value of all 
differences. The 2-norm is the square root of the sum of all squared differences. The 
infinity norm is the maximum absolute value difference within the vector of differences. 
These norms are summarized in Figure 28. The nesting strategy that has the smallest 
valued norms would be the closest to the optimal solution. A decision maker should 
choose a nesting strategy with the smallest vector norms. 


Vector Norm Analysis Definitions: 


b B 

a e A 

Optimaha 

Nestedba 

§b a = nestedba - optimaha 


Set of all defense budget values; 

(Note: b min & b max are minimum & maximum values.) 
Set of all attack budget values 

(Note: a min & a max are minimum & maximum values.) 
Optimal objective function value for budgets b & a. 
Nested objective function value for budgets b & a. 
Difference between solutions for budgets b & a. 
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Figure 28. Definitions of Vector Norms. Adapted from Leon (2010). 
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Observation 3-3: Each difference between the nested defense value and the optimal value 
must be a non-negative number. 

Proof of Observation 3-3: It is impossible to achieve any feasible solution to a 
problem instance that is better than the optimal solution. 

In order to better understand how the vector norm allows us to assess the 
performance of a nesting strategy, consider the test network with the myopic greedy 
heuristic nesting strategy where both the defense budget and the attack budget are 
unknown. Our solution performs the V-nesting strategy from three different starting point 
instances. The goal of the vector norm analysis is to determine whether the starting point 
of minimum, midrange, or maximum budget is a better strategy for V-nesting. Define the 
vectors V MIN , V MID and V MAX to be the difference vectors associated with starting points 
of minimum, midrange and maximum defense and attack budget scenarios, respectively. 
Table 10 shows the associated norms for V MIN , y MID and V MAX on the test network with 
parameterized defense and attack budgets. 


Table 10. Vector Norm Analysis at Different Starting Point Instances 


Test Network -Defense and 
Attack Budget Unknown 

yMIN 

yMID 

yMAX 

Vector 1-norm: IIVII i 

118.0 

75.0 

28.0 

Vector 2-norm: IIVII 2 

31.3 

24.7 

9.5 

Vector 00 -norm: IIVII 00 

16.0 

13.0 

6.0 


In Table 10 we can see that the norms associated with the V MAX vector are always 
smaller than the norms associated with the V MID and V MIN vectors. Therefore, an analyst 
should choose the nesting strategy start point of maximum defense and attack budgets 
because it is closest to the optimal solution. 

2. Matrix Analysis 

It is also possible to analyze the difference between nested defense solutions and 

optimal solutions in a matrix we call the difference matrix. Rows of the matrix represent 

the defense budget in a problem instance, in ascending order from minimum to 

maximum. Columns of the matrix represent the attack budget in a problem instance, also 
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in ascending order from minimum to maximum. Any particular element in the difference 
matrix represents the difference between the nested defense objective function value and 
the optimal objective function value for a specific defense and attack budget. 

The use of the difference matrix to calculate a distance between a set of nested 
defenses and the corresponding optimal defenses can be performed with matrix norms 
shown in Figure 29. The matrix 1-norm represents the maximum absolute column sum 
(Leon, 2010, p. 407). The matrix 1-norm corresponds to fixing the number of attacks and 
calculating the maximum sum of differences across changing defense budgets. The 
matrix infinity norm represents the maximum absolute row sum (Leon, 2010, p. 407). 
The matrix infinity norm calculates the maximum sum of differences as the attack budget 
changes. We can also use the matrix Frobenius norm, which is defined as the square root 
of the sum of squares of all of the elements in the matrix (Leon, 2010, p. 235). 

l M lli=“ a /ZKI» 

aeA 

beB 

Figure 29. Description of Matrix Norms. Adapted from Leon (2010). 

Each of these matrix norms is best suited to a particular type of parametric 
programming analysis. The matrix 1-norm would be best when the defense budget is 
subject to parameterization and the attack budget is known. The matrix infinity norm 
would be best when the attack budget is known and the defense budget is subject to 
parameterization. Lastly, an analysis of the Frobenius norm would make sense when both 
the attack and defense budget are unknown. 

To understand why the matrix 1-norm is best for unknown defense budgets, 
suppose the defense budget is parameterized and the attack budget is known to be two 
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units. In this case, the matrix of all possible defense and attack budget combinations 
reduces to a simple column vector, as shown in Figure 30. 
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Figure 30. Use of the Matrix 1-Norm for U nk nown Defense Budgets 

Conversely, to see why the matrix infinity-norm is best for the unknown attack 
budget situation of “persistent defenses,” suppose the defense budget is fixed at two units 
and the attack budget is parameterized. In this case, the matrix of all possible defense and 
attack budget combinations reduces to a simple row vector, as shown in Figure 31. 



Figure 31. Use of the Matrix Infinity-Norm for Unknown Attack Budgets 

Lastly, the situation of unknown defense and attack budgets can also be analyzed 
with matrix norms. The Frobenius norm is the unbiased choice for this situation since 
both budgets are unknown and parameterized. Each element of the difference matrix is 
scrutinized equally with the Frobenius norm. However, nothing prohibits the analyst from 
using the other matrix norms. If the analyst prefers to bias the analysis in favor of the 
unknown defense budget, then the matrix 1-norm could be employed. Similarly, if the 
analyst is biased toward the unknown number of attacks that must be defended, the 
matrix infinity norm could be used. 

To see how matrix norms are computed for the test network with unknown 
defense and attack budgets, we define three difference matrices, M min , M m1d and M max 
which denote starting points of minimum, midrange and maximum defense and attack 
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budgets, respectively. The V-nesting approach is used as the nested defense strategy. The 
difference matrices for each starting point are presented in Figure 32. 
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Figure 32. Difference Matrices for Unknown Defense and Attack Budgets 


The associated matrix norms for each difference matrix are presented in Table 11. 
Note that the matrix norms and the vector norms presented in the previous section 
produce different values. Flowever, the overall result for the analyst remains the same 
because the matrix norms associated with M max are smaller than the matrix norms for 
M mid and M min . Matrix norm analysis also recommends the choice of a nesting start 
point of maximum defense and attack budgets when both budgets are unknown. 


Table 11. Matrix Norm Analysis at Different Starting Point Instances 


Test Network -Defense and 
Attack Budget Unknown 

M M1N 

M M1U 

M max 

Matrix 1-norm: IIMIIi 

33.0 

35.0 

7.0 

Matrix Frobenius-norm: IMII F 

31.3 

24.7 

9.5 

Matrix oo-norm: IIML 

43.0 

32.0 

13.0 
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3. Percentage Gap From Optimality 

A different way to measure the distance of a nested defense from the optimal 
defense is to measure the “cost of prioritization” (Koc & Morton, 2015, p. 591). In this 
approach, the analyst calculates the percentage gap between the optimal non-nested 
solution and the nested solution for each DAD instance using the fonnula in Figure 33. 

% optimality gap = inested objedw - optimal objective) m% 

optimal objective 

Figure 33. Optimality Gap Equation. Adapted from Koc and Morton (2015). 

Each nested defense objective function value would be compared to the optimal 
non-nested objective function value in order to determine the percentage from optimality 
gap. In the test network, this analysis produces 36 measurements. In order to reduce these 
36 measurements to just one measurement, the analyst can use summary statistics. The 
analyst can calculate the mean and the standard deviation of the percentage of optimality 
gap. However, the analyst must be cautioned to not make the faulty assumption that an 
underlying distribution exists on this population of numbers. This set of percentages is 
not a sample from a larger set and there is no reason to believe that the percentage of 
optimality gap follows some type of named distribution. 

Table 12 summarizes the optimality gap in the situation where both the defense 
budget and attack budget are unknown. We use the “V” nesting strategy to obtain our 
results. The optimality gap analysis shows us that the best choice for the nesting start 
point is the instance of maximum defense and attack budgets. This start point has the 
smallest mean percentage gap with the tightest standard deviation. In the worst problem 
instance, this starting point also has the smallest optimality gap. 
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Table 12. Test Network Optimality Gap Percentages 


Defense and 
Attack Budget 
Starting point 

Optimality Gap Percentages 

Mean (%) 

Std. Dev (%) 

Worst (%) 

0 (Minimum) 

7.10 

8.43 

28.13 

3 (Midrange) 

4.32 

6.69 

22.00 

5 (Maximum) 

2.10 

3.74 

13.60 


4. Minimax Regret Analysis 

Another method to measure the distance from optimality of various nesting 
strategies would be the decision theory criteria of minimax regret. A common definition 
of regret is given by Taylor as “the difference between the payoff from the best decision 
and all other decision payoffs” (2007, p. 519). In our context, each budget scenario 
instance has a payoff of the difference in objective function values between the nested 
and optimal defenses. Each problem instance can have a different payoff depending on 
the starting point alternative that is chosen by the analyst. The analyst’s choice of 
alternatives are the nesting starting point instances of minimum, midrange or maximum 
defense and/or attack budgets. The goal in minimax regret analysis is to choose the 
alternative that minimizes the maximum amount of regret for any possible future 
outcome (Taylor, 2007, p. 519). 

For example, we use the test network with u nkn own defense and attack budgets 
for our heuristic strategy. The decision matrix in Table 13 gives the difference between 
the nested defense and optimal non-nested defense objective function values for all future 
budget scenarios. Each possible future defense and attack budget combination has a 
payoff that is influenced by the three possible alternatives of beginning the nesting of 
defenses minimum, midrange or maximum defense and attack budgets. Next, the Table 
14 regret matrix is built by examining the payoffs in each column and assigning zero to 
the smallest value. The regret associated with the other values in each column is 
computed as the difference between the obtained value and the smallest value. From the 
regret matrix, we can see that the best choice of nesting starting points is the maximum 
defense and attack budget alternative because it has the smallest maximum regret. 
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Table 13. Decision Matrix for Unknown Defense and Attack Budgets 


Decision Matrix 


Future State (Defense Budget, Attack Budget) 
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Table 14. Regret Matrix for Unknown Defense and Attack Budgets 
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5. Equal Likelihood Analysis 

Another method available to the analyst in judging the distance between a nested 
defense and the optimal defense would be to view each possible defense and attack 
budget realization as equally likely. In classical decision theory, this type of approach is 
called the equal likelihood or Laplace criterion (Taylor, 2007, p. 521). This type of 
decision approach would make sense when the analyst has absolutely no insight about 
what the realization of the defense or attack budget could be. For each different nesting 
starting point scenario, the analyst would assign an equal weight to each payoff for all 
possible defense and attack budget combinations that are unknown. Next, each row 
alternative is the weighted sum of all payoffs. The smallest sum represents the best 
outcome, since we are seeking an alternative that is as closest to the optimal solution. 

Table 15 shows equal likelihood analysis applied to the test network with 
unknown defense and attack budgets. Since there are 36 possible combinations of defense 
and attack budgets for the test network, we assign a weight of 1/36 to each possible 
payoff in the decision matrix. Each difference value is multiplied by the equally likely 
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probability of 1/36 and the sum of all weighted differences is made for each starting point 
alternative. The smallest sum is preferred choice. Table 15 shows us that the starting 
point of maximum defense and attack budgets is the best choice. 


Table 15. Equal Likelihood Analysis for Unknown Defense and Attack 

Budgets 


Decision Matrix 
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F. NESTED DEFENSES WITH A SUBOPTIMAL STARTING SCENARIO 

In this section, we show that it is possible to find a nested defense that is closer to 
the optimal solution than any nested defense that begins with an optimal solution to a 
DAD problem with a parameterized budget. In this approach, the nesting heuristic does 
not begin with a starting point budget scenario that is equal to the optimal solution. We 
refer to type of approach to the nested defense DAD problem as suboptima/ nesting. 
Suboptimal nesting involves finding nested defenses to parameterized DAD problem 
instances that are closer to optimal over the entire range of parameterized budgets than 
any particular nested defense that begins with the optimal solution to the DAD problem 
instance. The vector norm of differences of the suboptimal nested defense is smaller than 
the vector nonn of any nested defense that begins at an optimal starting point. 

Up to this point, we have assumed that a heuristic search for nested defenses must 
begin with an optimal solution to a nested defense DAD problem instance with a 
parameterized budget. We now remove that assumption. In this section only, we require 
that a nested defense objective function value may not equal the optimal defense 
objective function value for any specific DAD problem instance. 
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VffleQ 


(3-3) 


Suboptimal Nested Defense Assumption 



Proposition 3-4: It is possible that the nested defense closest to the optimal solution may 
have no instances with objective function values that are equal to the optimal solution. 

Proof of proposition 3-4: For an example of an instance where suboptimal nesting 
is the closest strategy, consider the test network with a defense budget of five units, and a 
parameterized attack budget. Recall that we use the term persistent defense for a kn own 
defense budget and an u nkn own attack budget. An analyst can solve DAD problem 
instances to find different starting points for persistent defenses. However, the analyst is 
now interested in finding a suboptimal defense that might be closer to optimal. After trial 
and error with starting point instances that are suboptimal, the analyst could find a 
suboptimal nested defense strategy that is overall closer to the optimal non-nested 
defense in terms of the vector norm than any of the optimal starting point strategies. 

The objective function values are shown in Table 16 for each different starting 
point. The optimal objective function values are shaded green in Table 16 to show that 
the suboptimal nesting strategy is not optimal for any problem instance. Table 17 shows 
the persistent defenses for defending the test network against an u nkn own number of 
enemy attacks. Figure 34 gives a graphical representation of the data in Table 16. It is not 
immediately obvious from Table 16 or Figure 34 that the suboptimal nesting strategy is 
overall the closest nesting strategy to the optimal solution. 


Table 16. Objective Function Values for Suboptimal Nesting Example 


Nesting Strategy 

Attack Budget 


0 

1 

2 

3 

4 

5 

Optimal Solution (not nested) 

20 

21 

32 

41 

53 

59 

Start point: Minimum Attack Budget 

20 

22 

37 

62 

63 

71 

Start point: Midrange Attack Budget 

23 

25 

40 

41 

56 

63 

Start point: Maximum Attack Budget 

25 

27 

42 

43 

58 

59 

Suboptimal Nest 

21 

23 

37 

46 

55 

62 
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Table 17. Nested Defenses in Test Network for Suboptimal Nesting Example 


Nesting Strategy (Defense Budget =5) 

Persistent Defenses Chosen 

Start point: Minimum Attack Budget 

(3, 8) (5, 10) (10, 13) 

Start Point: Midrange Attack Budget 

(3,8) (9, 13) (10, 11) (10, 13) 

Start point: Maximum Attack Budget 

(2, 7) (7, 8) (9, 13) (10, 11) (10, 13) 

Suboptimal Defense for All Attack Budgets 

(8, 12) (3,8) (9,10) 


Suboptimal Nesting Strategy on Test Network 



Attack Budget 

Figure 34. Objective Function Values for Various Nesting Strategies 


A comparison of the difference vector norms proves that suboptimal nesting can 
be closer to optimal than any other nesting strategy. The difference vectors are shown in 
Figure 35. The definitions of V MIN , V MID , and y MAX are unchanged, and V SUB is defined 
as the difference between the suboptimal nesting and optimal. The associated norms for 
these vectors are all given in Table 18. The smallest values for each norm are shaded 
green in Table 18, and it can easily be seen that the suboptimal nesting strategy has the 
smallest vector norms. Therefore, it is possible that a suboptimal nesting strategy can be 
the closest nesting strategy to the optimal solution in a DAD problem instance. 

103 














M** = 


'0 

0 

0 

0 

0 

0 " 


'0 

0 

0 

0 

0 

O' 

0 

0 

12 

0 

0 

0 


0 

0 

0 

0 

0 

0 

0 

4 

5 

16 

8 

10 

M *® = 

1 

0 

0 

3 

0 

8 

0 

4 

2 

4 

5 

10 


1 

0 

0 

0 

0 

1 

0 

4 

5 

2 

6 

0 


0 

1 

3 

3 

4 

13 

0 

5 

9 

2 

5 

0 


0 

2 

7 

7 

4 

13 


M** = 


0 0 0 0 0 0 ' 

0 0 0 0 0 0 

1 0 0 0 0 0 

0 2 0 1 0 1 

0 2 0 2 3 6 

0 3 4 2 1 0 


Figure 35. Difference Vectors for Suboptimal Nesting Example 


Table 18. Difference Norms for Suboptimal Nesting Example 


Defense Budget= 5 and 
Attack Budget Unknown 

yMIN 

yMID 

yMAX 

ySUB 

Vector 1-norm: IIVII i 

49.0 

22.0 

28.0 

18.0 

Vector 2-norm: IIVII 2 

26.7 

10.7 

13.8 

8.2 

Vector 00 -norm: IIVII 00 

21.0 

8.0 

10.0 

5.0 


Proposition 3-5: A suboptimal nested defense solution with smaller difference norms 
than all other nested defense solutions with optimal starting points will not always exist 
for a DAD problem instance with a parameterized budget. 

Proof of proposition 3-5. Consider a network where the optimal defenses for an 
unknown defense budget are also a nested defenses. Nehme and Morton (2010) have 
proven that such networks exist. A nested defense that is also the optimal defense would 
have a difference norm of zero. Since no defense can have a better objective function 
value than the optimal defense in a DAD problem, it would be impossible to find a nested 
defense that is better than the optimal defense. 

We have shown that it is possible to have a nested or persistent defense to a 
parameterized budget DAD problem instance that does not have any solutions that are 
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common with the optimal solutions. The problem with searching for a suboptimal nested 
defense is that finding such a defense is simply an intelligent search by the analyst for a 
better nested defense than those that are optimal at the nesting starting points. This 
method relies upon the analyst’s knowledge and experience with the system. 
Unfortunately, this kind of “trial and error” method for finding a nested defense is 
nothing more than a heuristic that is limited by the time and talent of the analyst. We 
need a deliberate way to find the best nested defense for unknown budgets. 

G. OPTIMIZING THE BEST NESTED DEFENSE 

Our investigation up to this point has been focused on heuristic strategies for 
finding a nested defense. We now desire an exact procedure to produce the best possible 
nested defense for a DAD problem. The best nested defense is defined as a nested defense 
that has the smallest difference from the optimal non-nested defenses for a DAD problem 
instance with parameterized defense and/or attack budgets. The smallest difference can 
be measured in different ways, which we have previously introduced as the vector 
difference norms. In this section, we do not place any restrictions on whether nested 
defenses may or may not equal the optimal defense objective function value. We 
formulate the nested defense DAD problem as parametric programs with different norms 
as objective functions. 

Our approach to finding the best nested defense to a DAD problem instance fits 
the framework of a stochastic linear program because some of the problem data is 
uncertain (Birge & Louveaux, 2011, p. 57). The action of the defender in choosing the 
best nested defense can be thought of as a “first stage decision” and the worst-case attack 
chosen by the attacker as well as the subsequent optimal operation of the resulting system 
can be thought of as “second stage decisions” (Birge & Louveaux, 2011, p. 58). The 
structure of the nested defense DAD parametric programming problem is reminiscent of 
the “L-shaped stochastic programs with recourse” that were popularized by Van Slyke 
and Wets (1969, p. 656). Specifically, the addition of nesting constraints over the set of 
budget scenarios gives the nested defense DAD problem a “block angular structure” 
(Birge & Louveaux, 2011, p. 183), except our formulation is somewhat more complicated 
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than the models seen in the literature. The extra complexity of the nested defense DAD 
problem resides in the fact that the outer minimization and maximization operators are 
both over integer variables. Our approach also departs classic stochastic programming 
theory because we do not represent the uncertain budgetary data as a random variable. 


Sets: 

co efi Uncertain defense and/or attack budget scenarios 


Data 

attackbudget'" 
defens ebudgef 0 
optimal co 


Attack budget in scenario co. 

Defense budget in scenario co. 

Optimal (non-nested) objective function value for budget co. 


Decision Variables 


W w 

yy ijd 

\r(D 

yCO 

1 ijd 


Amount of unfulfdled demand at node n in budget scenario co. 
Binary; 1 if edge (i,j) chooses defense option d in scenario co. 
Binary; 1 if edge (i,j) is attacked, 0 otherwise in scenario co. 
Amount of flow on arc (i,j) for defense d in budget scenario co. 


1. Best Nested Defense as Measured by 1-Norm 

An intuitive way to measure the best nested defense is to add up all of the 
differences between a nested defense and the optimal defense for all possible budget 
scenarios. The best nested defense would then have the smallest sum over the budget 
scenarios. The 1-nonn fonnulation of the nested defense DAD problem will find the best 
nested defense for a network with parameterized budget scenarios in terms of the sum of 
all deviations from optimality. 


DAD Problem with Nested Defense Formulation (1-norm) 

M, = ZZ E U +9„ 1 -X‘)- Y ‘ J +(c IU + ■X")-Y? u +'g J S:-p,-optimal" ,(3,4a) 

cyeQ deD (i,j)eE neN 
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Objective Function: 

minmax min IIfII , (3.4b) 

Kd x “ Y v*’ s » 


Subject to: 


£ £ -£ £ C -K S demand. 

dGD(n,j)GA cIgD (i,n)GA 

Vn e N,co e Q, 

(3.4c) 


V(z, j) e E,d eD,co e Q, 

(3.4d) 

X r. • < attack _ budget 01 

0,j)^d 

VffleQ, 

(3.4e) 

X X h nd ‘ W w - defense _ budget" 1 

deD: (i,j)<=E 
d*d 0 

Vffle f2, 

(3.4f) 

ii 

Lr 

V(i,y) e E,g>eQ, 

(3.4g) 

VI 

\/(i,j)EE,dED:d^d 0 ,a>ED., 

(3.4h) 

IV 

o 

V(iJ) e A,d e D,k e K,a> eQ, 

(3.4i) 

S? >0 

Vn e N,co e Q, 

(3.4j) 


V(z,y) eE,coeD., 

(3.4k) 

^£{0,1} 

V(z, j) e E,d e D,co e Q. 

(3.41) 


Equation (3.4a) defines the 1-norm as the sum across all budget scenarios of the 
difference between the nested defense and the optimal defense. Expression (3.4b) is the 
tri-level optimization objective to minimize the 1-norm for the DAD problem instance. 
Equation (3.4c) represents the balance of flow constraints for each node in the network 
under each budget scenario, with an elastic variable (S) compensating for unfulfilled 
demand. Equations (3.4d) are the bi-directional capacity constraints for each edge in the 
network, forcing total flow on an edge to be less than the maximum capacity for the edge 
under a defense option chosen for each budget scenario. Equation (3.4e) is a budget 
constraint on the attacker to ensure that the attacker can only attack as many edges as he 
or she can afford for each budget scenario. Equation (3.4f) is a budget constraint on the 
defender which ensures the amount of network defense stay within the budget scenario. 
Equation (3.4g) ensures each edge in the network can only have one defense option 
chosen for each budget scenario. Equation (3.4h) ensures the defenses chosen in one 
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budget scenario are also chosen in the next budget scenario. Equations (3.4i)-(3.41) 
enforce variable types. 

The system of Equations (3.4) is a linear program, even though it might not 
appear to be initially. The attack (X) and flow (Y) decision variables are multiplied 
together, but one variable is maximized, and the other variable is minimized. 
Decomposition of the problem formulation results in a linear program. Nested 
decomposition procedures are similar to those discussed in Chapter I. 

Next, we perfonn decomposition of the nested defense DAD problem with 1- 
nonn objective. The first part of the decomposition is the AD subproblem. The AD 
subproblem primal version has a max-min objective function. In order to simplify the 
problem, we take the dual of the inner minimization operator model, since the flow 
decision variables (Y) are continuous. We define ‘modular decomposition’ of the AD 
subproblem to be the solution to a series of AD subproblems that each pertain to a 
specific defense and attack budget scenario (to). 


Additional Decision Variables: 

Dual variable for edge (i,j) with defense option d for budget scenario to 
Dual variable for node n for budget scenario co. 

AD subproblem objective for each scenario co. 

Sum of all AD subproblem objectives in the set of budget scenarios Q. 

Nested Defense AD Dual Subproblem, 1-Norm Objective: 

z sub total ~ max Z nuAL , (3.5a) 

X j’ttjd’K" ® e n 


a. 


ijd 


n„ 


J DUAL 


J SUB TOTAL 


Subject to AD Subproblem Modular Decompositions '. 

Z dual =~Yj n n- demand n - £ Z u ijd • a® • - optimal 03 VcoeQ, (3.5b) 

neN ( i,j)eE deD 

Subject to: 
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— UJ , UJ UJ 

-n i + itj -a ijd 


KJ 




+ x« 


I i<j 


K ^ Pn 

^) j Fj ■ X“ < attack_budget m 

(iJ)cA 

* 0 

* o 

jr- e {0,1} 

£ £*" + £ £ (i-Ar-)ai. 


\i>] 


V(/,y) g E,d e D,co e Q,(3.5c) 

V/iejV,0£fi, (3.5d) 

VffleQ, (3.5e) 

V«eA,<neQ, (3.5f) 

V(i,j) <= A,d <= D,a> sQ., (3.5g) 
\/(i,j)eE,a>eQ, (3.5h) 

(3.5i) 


( i,j)eE coed: 


( i,j)eE coed: 


Expression (3.5a) of the AD decomposition uses a dual Integer Linear Program 
(ILP) formulation to transfonn the max-min structure of the AD subproblem to a 
maximization problem. Expression (3.5a) is the beginning of the modular decomposition 
of the original problem, because the objective is a summation of a series of AD 
subproblems for all of the budget scenarios. Equation (3.5b) shows that each budget 
scenario objective is a difference between the nested defense solution and the optimal 
solution. The optimal solution for each budget scenario was computed with the 
formulation in Chapter I and is included as data in this model. Equation (3.5c) is the 
constraint for each undirected edge under each budget scenario. Equation (3.5d) is the 
dual constraint for each node of the network for each budget scenario. Equation (3.5e) is 
the restatement of Equation (3.4e) in the decomposition. Equations (3.5f)-(3.5h) define 
variable types. Equation (3.5i) are the SEC needed for decomposition of the binary 
variables when attacks are repeated in iterations of the master problem. The subscript “k” 
in Equation (3.5i) refers to the iteration of the decomposition for the master problem. 

The system of Equations (3.5a-i) are decoupled over all of the budget scenarios 
((<)). The decoupling can be observed by noting that the defense variables (W) have fixed 
values, which is symbolized by the hats on these variables. There is no constraint within 
the AD subproblem that connects any budget scenario ( 0 ) to any other budget scenario. 
Thus, each budget scenario ( 0 ) is independent in the AD subproblem, which allows for 
the commutation of the summation and maximization operators in Equation (3.5a). 
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The nested defense DAD decomposition master problem takes the attacks (X) for 
each budget scenario (co) as well as the AD subproblem objective function as an upper 
bound. The master problem li nk s together all of the budget scenarios over a series of 
iterations in the outer decomposition. The result of each iteration of the nested defense 
DAD master problem is a potential lower bound and a set of defenses chosen (W) to 
begin the next iteration of AD subproblems. 


Additional Sets: 

k e K Decomposition iterations 


Additional Decision Variables (units): 


nk 

\rCO 

A ijk 

yCO 

1 ijdk 


DAD 


J DAD TOTAL 


Amount of unfulfilled demand at node n in scenario co for iteration k. 
Binary; 1 if edge (i,j) is attacked in budget scenario oj for iteration k. 
Amount of flow on arc (i,j) for defense d in scenario co for iteration k. 
Difference of nested & optimal objective function values for scenario co. 
DAD master problem objective function value 


Nested Defense DAD Master Problem, 1-Norm Objective: 


ZDAD TOTAL 

— W co V M 

"ijdJijik^nk 


V z a 

/ j ^ DAD ’ 


(3-5j) 


Subject to DAD modular decompositions: 

bv-ki 

deD ( i,j)eE ' 

X X h ijd ■ Wy d < defense_budget 


Z»A» > Z S k* + 


Y‘° +lc + 

1 ijdk ' I ^ jid ^ 


(djui • )) • Yf dk - optimal (0 \/co e Q, (3.5k) 


VffleQ, 


(3.51) 


deD: (i,])<^E 
d*d 0 

XX K*-XX r--S’i demand. 

deD (n,j)e.A dGD(i,n)eA 

X + 

U.f^E 

XK =i 

deD 

W 10 < W°> +1 
" ijd ~ n ijd 

o-i} 


Vn e N,k e K,co e Q, (3.5m) 

V(z,y) g E,d e D,k e K,co e Q,(3.5n) 

\/(i,j)eE,coe Q, (3.5o) 

\/(i,j)eE,deD:d^d 0 ,a>eD., (3.5p) 
\/(i,j)eE,dsD,a)eQ., (3.5q) 
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V/z e N,k e K,co e Q, (3.5r) 

V(z,y) e <= D,k eK,cosQ.. (3.5s) 

Expression (3.5j) is the decomposition master problem, which minimizes the sum 
of differences between the nested defense and optimal defense, for all budget scenarios. 
Equation (3.5k) represents the difference between the nested defense objective function 
value and the optimal value for each of the budget scenarios. Equation (3.51) is the budget 
constraint on the defender for each of the budget scenarios. Equation (3.5m) represents 
balance of flow on the network for each of the budget scenarios. Equation (3.5n) enforces 
the maximum flow on each edge of the network when the defense option is chosen for 
each of the budget scenarios. Equation (3.5o) allows one defense option for each edge, 
for each budget scenario. Equations (3.5p) are the nesting constraints, which force the 
defenses chosen in a budget scenario (co) to also be chosen in the next budget scenario 
(co+1). Equations (3.5q-s) enforce variable types. 

2. Best Nested Defense as Measured by Infinity-Norm 

There are also other ways that an analyst may choose to define the best nested 
defense. The analyst may desire that the best nested defense must have the smallest 
possible difference from the optimal solution for any budget scenario. With this view, the 
objective function value for the nested defense may differ from the optimal value for 
many budget scenarios, but the largest difference is as small as possible. The infinity 
norm formulation of the nested defense DAD problem will find the best nested defense 
for a network with parameterized budget scenarios by keeping the largest difference 
between nested defense and optimal defense as small as possible. If the analyst desires to 
find the best infinity-norm nested defenses, he or she can modify the nested defense DAD 
problem as follows: 


s,:>o 
Y£ k > 0 


Nested Defense DAD Problem Formulation (Infinity-Norm) 
I {c v +^)-Y‘ + {c lu+qiu X‘\Y^ 

deD ( i,j)<=E 


+ ^ S® • p "-optimal 03 , (3.6a) 

neN 


ill 



Objective function (Infinity-norm): 

min max min \\V II . (3.6b) 

Kd x “ 

Equation (3.6a) defines the infinity norm for the nested defense DAD problem 
and would replace Equation (3.4a) in the formulation of the nested defense DAD 
problem. Equation (3.6a) finds the maximum difference between the nested defense 
objective function value and the optimal defense objective function value over the set of 
all possible budget scenarios. Expression (3.6b) replaces (3.4b) in our formulation. 
Expression (3.6b) is a four level optimization problem that seeks to minimize the 
maximum difference between the nested defense and the optimal defense. The AD sub¬ 
problem decomposition constraints of Equations (3.4c-l) remain for the infinity norm 
formulation. The decomposition of the infinity norm nested defense DAD problem has 
two changes from the 1-norm decomposition problem presented in the previous section. 


DAD Master Problem, Infinity-Norm Objective: 

mi * 1 Z dad total ’ (3.6c) 

Add the following constraint for DAD modular decomposition: 

Z DAD _ TOTAL ^ Z DAD V« £ Q. (3.6d) 

Equation (3.6c) replaces Equation (3.5j) as the objective for the decomposition 
master problem. The decomposition problem as seen in Equations (3.5k-r) are the same 
in the infinity nonn case, and Equation (3.6d) is added as an additional constraint to 
ensure the master problem objective function value is at least as large as the biggest 
difference between nested defense and optimal defense. Equation (3.6c) works along with 
Equation (3.6d) to minimize the maximum difference between nested defense and 
optimal defense over the set of all budget scenarios. 
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3. Best Nested Defense as Measured by 2-Norm 

The 2-norm is desirable as an objective for the parametric programming problem 
because it can be thought of increasing the amount of penalty to the objective function as 
the difference between the nested defense and optimal defense grows. However, the 2- 
norm formulation of the nested defense DAD problem is more challenging to implement 
because it is a nonlinear quadratic program. Therefore, our formulation will use the 
square of the 2-norm in order to ensure we have a convex optimization problem. In our 
results, we report the square root of the solution to the quadratic parametric program in 
order to obtain the actual 2-norm value. 


Nested Defense DAD Problem Formulation (Squared 2-Norm) 


I'll’ = E El (<v +q„ d x;)-Y,Z +(cj U +q, u x;)-Y; d + Y 1 s:- Pn -optimal- 

coeQ. y d&D (i,j)eE neN J 


, (3.7a) 


Objective function (Squared 2-Norm): 

II m2 

minmaxmin F . (3.7b) 

Kd X V Y Vd’ S n 

Equation (3.7a) defines the squared 2 nonn for the nested defense DAD problem. 
Expression (3.7b) is the tri-level optimization objective to minimize the squared 2-norm 
for the nested defense DAD problem instance. The AD sub-problem decomposition 
constraints of Equations (3.4c—1) remain the same for the squared 2-norm formulation. 
Equation (3.7a) replaces (3.4a) and (3.7b) replaces (3.4b) when the squared 2-norm is the 
objective. The decomposition of the squared 2-norm nested defense DAD problem has 
two changes from the 1-norm decomposition problem presented in the previous section. 


AD Dual Subproblem, Squared 2-Norm Objective: 



(3.7c) 


113 



Equation (3.7c) replaces Equation (3.5a) from the 1-norm AD subproblem 
formulation. Equation (3.7c) is the sum of the squared values of a series of AD 
subproblems, one for each budget scenario. The constraints in the AD dual subproblem 
for the 2-nonn objective function are the same as those for the 1-norm AD dual ILP sub¬ 
problem that are found in Equations (3.5b-i). 


DAD Master Problem, Squared 2-Norm Objective: 

^DAD_TOTAL = X \ Z DAD ) ' 

coed "vd '' I 'J kd ’^ nk 


(3.7d) 


Equation (3.7d) replaces Equation (3.5j) from the 1-norm fonnulation. Equation 
(3.7d) makes the master problem a quadratic program. The remaining constraints are 
unchanged from the 1-norm DAD master problem, found in Equations (3.51- r). 

4. Implementation on Test Network 

Our formulation can find the best possible nested defense in terms of the 1-norm, 
infinity norm, or squared 2 norm on the test network. The following examples illustrate 
how our formulations can find better nested defenses to DAD problem instances than the 
heuristic approaches. 

a. 1-Norm Formulation Example 

The first example is the 1-norm formulation for the nested defense DAD problem 
on the test network when the defense budget is parameterized, but the attack budget is 
known to be two units. Tables 19 and 20 summarize the different nested defenses chosen 
and objective function values for each nesting strategy. Table 17 shows us that the first 
defense chosen by the 1-norm parametric program is the same as the minimum starting 
point heuristic, but the other defenses chosen are different. Our formulation is able to 
exploit a weakness of the heuristic. The heuristic does not explore all equivalent optimal 
solutions every time the parameterized budget is incremented by one unit. 
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Table 19. Objective Function Values in 1-Norm Nesting Example 


Nesting Strategy (Attack Budget = 2) 

Defense 

3udget 


0 

1 

2 

3 

4 

5 

Optimal Solution (not nested) 

62 

50 

45 

45 

37 

32 

Start point: Minimum Defense Budget 

62 

50 

47 

47 

39 

38 

Start point: Midrange Attack Budget 

62 

62 

47 

45 

39 

38 

Start point: Maximum Attack Budget 

62 

62 

47 

45 

38 

32 

1-norm Nesting Strategy 

62 

50 

47 

47 

38 

32 


Table 20. Nested Defenses Chosen in 1-Norm Nesting Example 


Nesting Strategy 
Attack Budget =2 

Defenses Chosen at Defense Budget Level 

0 

1 

2 

3 

4 

5 

Start point: 
Minimum 
Defense Budget 

None 

(2,7) 

(2.7) 

(7.8) 

(2.7) 

(7.8) 

(2,7) (7,8) 
(5,10) 

(2,7) (7,8) 
(5,10)(8,12) 

Start Point: 
Midrange 
Defense Budget 

None 

None 

(5,10) 

(5,10) 

(7,8) 

(5,10) (7,8) 
(2,7) 

(5,10) (7,8) 
(2,7) (8,12) 

Start point: 
Maximum 
Defense Budget 

None 

None 

(5,10) 

(5,10) 

(8,12) 

(5,10)(8,12) 
(2,7) 

(5,10) 

(8, 12) (2,7) 
(11,15) 

1-norm 

Nesting Strategy 

None 

(2,7) 

(2,7) 

(8,12) 

(2,7) 

(8,12) 

(2,7)(8,12) 
(5,10) 

(2,7) (8,12) 
(5,10) 
(13,14) 


Figure 36 presents a graphical display of the information contained in Table 19. In 
Figure 36, the blue diamonds that represent the 1-norm nested defenses appear to be the 
closest to the optimal solutions shown by the green stars. In order to prove that the 1- 
nonn is the nested defense that is closest to the optimal non-nested defense in this 
example instance, we show the difference vectors in Figure 37. We use the notation V MIN , 
V MID , and V MAX for the difference vectors associated with the heuristic starting points of 
minimum, midrange and maximum defense budgets, respectively. We define V L1 for the 
difference vector associated with the 1-norm parametric program. In Table 21, we 
compute the various difference norms associated with the difference vectors. Even 
though our parametric program in this example had the minimization of the 1-norm as its 
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objective, we observe in Table 21 that the resulting nested defense has the smallest 1- 
norm, 2-norm and infinity norm of all of the nesting strategies tried in the example. 


1 Norm Nesting Strategy on Test Network 



Figure 36. Test Network Nested Defense with 1-Norm Nesting Example 
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Figure 37. Difference Vectors for 1-Norm Nesting Example 
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Table 21. Difference Norms for 1-Norm Nesting Example 


Defense Budget Unknown 
Attack Budget =2 

yMIN 

yMID 

yMAX 

y L1 

Vector 1-nonn: IIVII i 

12 

22 

15 

5 

Vector 2-nonn: IIVII 2 

6.93 

13.71 

12.21 

3 

Vector 00 -norm: IIVIIoo 

6 

12 

12 

2 


b. Infinity Norm Formulation Example 

An example of nesting defenses based on the infinity nonn formulation considers 
the test network with an u nkn own defense budget and attack budget fixed at four units. 
Tables 22 and 23 summarize the different nested defenses chosen and objective function 
values for each nesting strategy. Table 23 shows that the first defense chosen by the 
infinity nonn parametric program is the same as the minimum and maximum heuristics. 


Table 22. Objective Function Values for Infinity-Norm Nesting Example 


Nesting Strategy (Attack Budget = 4) 

Del 

'ense 

3udget 


0 

1 

2 

3 

4 

5 

Optimal Solution (not nested) 

113 

82 

74 

66 

58 

53 

Start point: Minimum Defense Budget 

113 

82 

74 

74 

66 

53 

Start point: Midrange Attack Budget 

113 

113 

81 

66 

58 

57 

Start point: Maximum Attack Budget 

113 

82 

82 

69 

61 

53 

Infinity-Nonn Stochastic Program 

113 

82 

79 

71 

63 

55 
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Table 23. Nested Defenses Chosen for Infinity-Norm Nesting Example 


Nesting Strategy 
Att. Budget =4 

Dei 

fenses Chosen at Defense Budget Fevel 


0 

1 

2 

3 

4 

5 

Start point: 
Minimum 
Defense Budget 

None 

(10,13) 

(10.13) 

(9.13) 

(10.13) 

(9.13) 

(10,13) 
(9,13) (3,8) 

(10,13) 
(9,13) (3,8) 
(8,12) 

Start Point: 
Midrange 
Defense Budget 

None 

None 

(5,10) 

(5,10) 

(10,11) 

(5,10) 

(10,11) 

(1,5) 

(5,10) 
(10,11) 
(1,5) (6,10) 

Start point: 
Maximum 
Defense Budget 

None 

(10,13) 

(10,13) 

(10,13) 

(3,8) 

(10,13) 
(3,8)(8,12) 

(10.13) 
(3,8)(8,12) 

(9.13) 

Infinity-norm 

Stochastic 

Program 

None 

(10,13) 

(10,13) 

(7,8) 

(10,13) 
(7,8) (2,7) 

(10,13) 
(7,8) (2,7) 
(8,12) 

(10.13) 
(7,8) (2,7) 

(8,12) 

(9.13) 


Figure 38 presents a graphical display of the information contained in Table 22. 
The blue diamonds that represent the infinity norm nested defenses do not necessarily 
appear to be the closest to the optimal solutions shown by the green stars. In order to 
prove that the infinity-norm is the nested defense that is closest to the optimal non-nested 
defense in this example instance, we show the difference vectors in Figure 39. We define 
V 1 ' as the difference vector associated with the infinity nonn formulation. In Table 24, 
we compute the various difference nonns for each nesting strategy. Table 24 shows that 
the infinity nonn objective has the smallest infinity norm of all the nesting strategies in 
this example problem instance. Surprisingly, even though our formulation in this example 
had the minimization of the infinity norm as its objective, we observe that the resulting 
defense also has the smallest 2-nonn all of the nesting strategies. 
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Infinity Norm Nesting Strategy on Test Network 



Figure 38. Test Network Nested Defense with Infinity-Norm Nesting Example 
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Figure 39. Difference Vectors for Infinity-Norm Nesting Example 


Table 24. Difference Norms for Infinity-Norm Nesting Example 


Defense Budget Unknown 
Attack Budget = 4 

yMIN 

yMID 

yMAX 

yLco 

Vector 1-norm: IIVII i 

16 

42 

14 

17 

Vector 2-norm: IIVII 2 

11.31 

32.03 

9.06 

8.89 

Vector 00 -nonn: IIVII 00 

8 

31 

8 

5 
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c. Squared 2-Norm Formulation Example 

An example based on the squared 2-nonn formulation considers the test network 
with an u nkn own defense budget and attack budget fixed at five units. Tables 25 and 26 
summarize the different nested defenses chosen and objective function values for each 
nesting strategy. We observe the defenses chosen and the objective function value of the 
squared 2-norm formulation is the same as the maximum defense starting point heuristic. 
In this case, the heuristic was able to find the nested defense that is closest to the optimal 
non-nested defense as measured by the squared 2-norm. Our formulation is also able to 
prove that these defenses are the closest to the optimal non-nested defenses. 


Table 25. Objective Function Values for Squared 2-Norm Nesting Example 


Nesting Strategy (Attack Budget = 5) 

Del 

'ense 

3udget 


0 

1 

2 

3 

4 

5 

Optimal Solution (not nested) 

131 

104 

87 

79 

65 

59 

Start point: Minimum Defense Budget 

131 

104 

96 

88 

79 

64 

Start point: Midrange Attack Budget 

131 

131 

87 

79 

71 

67 

Start point: Maximum Attack Budget 

131 

104 

97 

80 

65 

59 

Squared 2-Norm Stochastic Program 

131 

104 

97 

80 

65 

59 


Table 26. Nested Defenses Chosen for Squared 2-Norm Nesting Example 


Att. Budget =5 
Nesting Strategy 

Defenses Chosen at Defense Budget Level 

0 

1 

2 

3 

4 

5 

Start point: 
Minimum 
Defense Budget 

None 

(10,13) 

(10.13) 

(9.13) 

(10.13) 

(9.13) 
(8,12) 

(10.13) 

(9.13) 
(8,12) (7,8) 

(10,13) 
(9,13)(8,12) 
(7,8) (2,7) 

Start Point: 
Midrange 
Defense Budget 

None 

None 

(5,10) 

(5,10) 

(8,12) 

(5,10) 
(8,12)(1,5) 

(5,10)(8,12) 
(1,5)(11,15) 

Start point: 
Maximum 
Defense Budget 

None 

(10,13) 

(10,13) 

(10,11) 

(10,13) 

(10,11) 

(7,8) 

(10,13) 
(10,11) 
(7,8) (2,7) 

(10,13) 
(10,11)(7,8) 
(2,7) (9,13) 

Squared 2-nonn 
Nesting Strategy 

None 

(10,13) 

(10,13) 

(10,11) 

(10,13) 

(10,11) 

(7,8) 

(10,13) 
(10,11) 
(7,8) (2,7) 

(10,13) 

(10,11)(7,8) 
(2,7) (9,13) 


Figure 40 presents a graphical display of the information contained in Table 23. 


The blue diamonds that represent the 2-norm nested defenses appear to be the closest to 
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the optimal solutions shown by the green stars. In order to prove that the 2-norm is the 
best nested defense in this example instance, we show the difference vectors in Figure 41. 
We introduce V ~ for the difference vector associated with the squared 2-norm stochastic 
program. In Table 27, we compute the various difference norms associated with each 
nesting strategy. In Table 27 we report the actual 2-norm, which is the square root of the 
objective function value of the stochastic program. Table 27 shows that squared 2 norm 
objective and the heuristic of starting at maximum defenses both have the smallest 2- 
norm of all the nesting strategies in this example. Surprisingly, even though our 
parametric program in this example has minimization of the squared 2-norm as the 
objective, it also has the smallest 1-norm and infinity nonn. 


2-Norm Nesting Strategy on Test Network 



Figure 40. Test Network Nested Defense with Squared 2 Norm Objective 
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Figure 41. Difference Vectors for 2-Norm Nesting Example 


Table 27. Difference Norms for 2-Norm Nesting Example 


Defense Budget Unknown 
Attack Budget = 4 

yMIN 

yMID 

yMAX 

y L ~ 

Vector 1-norm: IIVII i 

37 

41 

11 

11 

Vector 2 -norm: IIVII 2 

19.57 

28.79 

10.04 

10.04 

Vector 00 -norm: IIVIloo 

14 

27 

10 

10 


H. NESTED DEFENSES IN MAXIMUM FLOW PROBLEMS 

In a maximum flow network problem, the nesting of defenses against worst-case 
attack presents a different kind of problem. In this case, the network has an infinite 
supply of items at the source of the network, and an infinite demand for items at the 
destination of the network. The edges in the network are capacitated in the number of 
units that can travel over them. The DAD maximum flow problem is adapted from the 
basic maximum flow linear program that can be found in texts such as Ahuja et al. (1993, 
p. 168) and the network interdiction problem of Wood (1993). 

DAD Maximum Flow Problem Formulation: 

Sets: 
n e N 

(6 j) e 4 
d eD 

Data: 
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Nodes of the network 

(Note: i and j are used as aliases for n ) 

(Note: s and t are the source and terminal nodes in the network) 

Undirected edges of the network 

Directed arcs of the network 

Defense plans available for undirected edges (i, j) 




























u iJd Maximum capacity of undirected edge (i,j) under defense plan d. 

q jd Penalty cost for travel on attacked arc (i,j) with defense plan d. 

Tj Cost to attack undirected edge (i,j). 

h ijd Cost to protect or build undirected edge (i, j) under defense plan d. 

attack budget Maximum attack budget. 

defense budget Maximum defense budget. 

Decision Variables (units): 

V Amount of maximum flow from source to destination (commodity units) 

W ijd Binary; 1 if undirected edge (i,j) chooses defense option d, 0 otherwise. 

X y Binary; 1 if edge (i,j) is attacked, 0 otherwise. 

Y ijd Amount of flow on directed arc (i,j) for defense d. (commodity units) 


Formulation: 

C \ 

max min max V - £ -Y ijd -X..) + (^ -Y jid -Xy) , (3.8a) 

« d 9 ’ <i d (_ (i,j)sEdsD J 

Z Z r « - Z Z y m = v ■ < 3 8b > 

{s,j)&Ad&D (j,s)&Ad&D 

’L'L y *-'L'L y m = ~ v ’ < 3 - 8c > 

(t ,j)<=Ad<=D ( j,t)GA dsD 

£ 2X- £ T, Y * =0 ’ (3.8d) 

(i,n)eAdeD ( n,j)e.Ade.D 

i,n^s n,j^s 

i,n^t n,j^t 

Y ijd + Y jid < u ijd • W i]d V(z, j) e E,d e D, (3.8e) 

^ r ■ Xj < attack _budget, (3.8f) 

U,j)cE 

Z Z h ijd • W ijd < defense_budget, (3.8g) 

deD: ( i,j)eE 
d*d 0 

Z^=l V(/,j)s£, (3.8h) 

deD 

Y i]d > 0 V(i,j)eA,deD, (3.8i) 

^e{0,l} V(/J)e£, (3.8j) 

^£{0,1} V(i,j)zE,dzD. (3.8k) 


The objective function (3.8a) expresses the three levels of optimization. The 
innermost maximization operator seeks to maximize the amount of flow on the network 
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after defenses and attacks are fixed. The middle operator has the objective of minimizing 
the amount of the resulting optimal flow by attacking edges for a given defense plan. The 
outer maximization operator chooses the optimal defense plan to maximize the worst- 
case flow over all attacks. Equation (3.8b) balances flow from the source node to the rest 
of the network. Equation (3.8c) balances the flow from the network to the terminal node. 
Equation (3.8d) represents balance of flow equations for all other nodes in the network 
that are not the source or destination nodes. Equation (3.8e) represent capacity constraints 
for each edge in the network, forcing total flow on an edge to be less than the maximum 
capacity for the edge under a defense plan and defense option chosen. Equation (3.8f) is a 
budget constraint on the attacker to ensure that the attacker can only attack as many edges 
as he or she can afford. Equation (3.8g) is a budget constraint on the defender which 
ensures the amount of network defense stays within a budget. Equation (3.8h) ensures 
each edge can only have one defense option chosen. Equations (3.8i) - (3.8k) enforce 
variable types. 

For an example of nested defenses of the DAD problem in a maximum flow 
network, consider the network proposed by Alderson et al. (2013) in their appendix. 
There are six nodes in the network that have six parallel interconnecting directed arcs 
each. Node 1 is the source node and node 6 is the destination node. The arcs all have 
specific capacity limits. The network is shown in Figure 42. The undisturbed maximum 
flow of this network is limited to 36 units by the capacity of the directed arcs. The 
authors originally considered this network in an AD scenario in order to show that worst- 
case attacks to an undefended network may not be nested. We extend their analysis of 
this network to a DAD problem that includes defenses. Suppose the attacker has an attack 
budget of five attacks, and the defense budget is subject to parametric analysis between 
zero and five units. Defending an arc in the network costs one unit of defense budget, and 
attacking an arc costs one unit of attack budget. We do not allow for the addition of new 
edges in this network. 
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Figure 42. Maximum Flow Network. Adapted from Alderson et al. (2013) 

The nested defense in this maximum flow problem would be formed as follows. If 
the defender has a budget of zero, the attacker will attack the five arcs from node 1. This 
worst-case attack will reduce the maximum flow of the network to one unit. If the 
defender has a budget of one unit, then one of the high capacity arcs from node 1 will be 
defended. The worst-case attack against this one defense will be the five highest capacity 
arcs from node 2. The maximum flow with one defense is two units. If the defender has a 
budget of two units, one high capacity arc from node 1 and one high capacity arc from 
node 2 will be defended. The worst-case attack against these two defenses would be the 
five highest capacity arcs from node 3. The maximum flow with two defenses would be 
three units. For example, the scenario of defense budget two units and attack budget five 
units is shown in Figure 43. 
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» Defended arc 
Attacked arc 

Figure 43. Maximum Flow Network with Defense Budget 2, Attack Budget 5 

The remainder of the parameterization of the network defense budget follows a 
pattern. When the defender has a budget of three units, one of each of the high capacity 
arcs from nodes 1, 2, and 3 are defended. The worst-case attack against a defense budget 
of three units would attack five of the highest capacity arcs from node 4. The maximum 
flow with three defenses would be four units. When the defender has a budget of four 
units, one of each of the high capacity arcs from nodes 1, 2, 3, and 4 are defended. The 
worst-case attack against a defense budget of four units would be to attack five of the 
highest capacity arcs from node 5. The maximum flow with a defense budget of four 
units would be five. When the defender has a budget of five units, one of each of the high 
capacity arcs from nodes 1, 2, 3, 4 and 5 are defended. The worst-case attack against five 
defenses will be to attack the five undefended arcs from node 1. The maximum flow with 
five defenses would be seven units. The results of the optimal defenses and worst-case 
attacks for the parameterized defense budget are summarized in Table 28. 
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Table 28. Optimal Defenses and Attacks in Maximum Flow Network Example 


Defense 

Budget 

Arcs 

Defended 

Arcs 

Attacked 

Maximum 

Flow 

0 

None 

5 highest capacity arcs (1,2) 

1 

1 

Arc (1,2) with capacity 7 

5 highest capacity arcs (2, 3) 

2 

2 

Arc (1,2) with capacity 7 
Arc (2, 3) with capacity 8 

5 highest capacity arcs (3, 4) 

3 

3 

Arc (1,2) with capacity 7 
Arc (2, 3) with capacity 8 
Arc (3, 4) with capacity 9 

5 highest capacity arcs (4, 5) 

4 

4 

Arc (1,2) with capacity 7 
Arc (2, 3) with capacity 8 
Arc (3, 4) with capacity 9 
Arc (4, 5) with capacity 10 

5 highest capacity arcs (5, 6) 

5 

5 

Arc (1,2) with capacity 7 
Arc (2, 3) with capacity 8 
Arc (3, 4) with capacity 9 
Arc (4, 5) with capacity 10 
Arc (5, 6) with capacity 11 

5 undefended arcs (1,2) 

7 


Table 28 shows that the defenses are nested because the defenses chosen for a 
defense budget of one unit are a subset of the defenses chosen for a defense budget of 
two units, and so on. We notice in this example maximum flow network that each nested 
defense systematically forms a backbone of highest capacity protected arcs for flow to 
travel from source node 1 to destination node 6. Each time the defense budget is 
increased, the new defense increases the resulting maximum flow of the network. The 
worst-case attack changes with each increase of the defense budget as it attempts to limit 
flow from source to destination as each new defense is added to the network. 

Proposition 3-6: Increasing the defense budget in a DAD maximum flow network has a 
non-decreasing effect on the objective function. 

Proof of proposition 3-6: DAD problems always assume that the attacker will 
make a worst-case attack. The addition of a defense in a DAD problem only occurs when 
a worst-case attack is changed to a new attack that has a smaller effect on the objective 
function value. By definition, no other attack can damage the objective function more 
than a worst-case attack. Therefore, the addition of a defense will result in a new worst- 
case attack that is no worse than the previous worst-case attack. The resulting objective 
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function value from the addition of a defense will be at least as good as the objective 
function value before the addition of the defense, or the defense will not be added to the 
network. In a DAD maximum flow problem, the addition of a defense will change a 
worst-case attack that results in a maximum flow that is at least as great or greater than 
the flow on the network before the defense was included. 

I. NESTED DEFENSE SUMMARY 

This chapter investigates the implications of producing a list of prioritized 
defenses for a system when the defense and/or attack budget is not known when defense 
decisions must be made. We use the tenn nested defenses to refer to a monotonic 
sequence of sets, where each set of defenses for a particular budget scenario contains the 
set of defenses for the next smaller budget scenario. It is clear in the literature that the 
best defenses chosen for a defense budget of two units is usually not a subset of the 
defenses chosen for a defense budget of three units, and so on. 

We examine how nested defenses differs from the optimal set of defenses for any 
particular defense and attack budget scenario for the DAD minimum cost flow problem 
on the test network of Alderson et al. (2015). In particular, we quantify the cost of 
requiring a set of defenses to be mono tonic. We examine various heuristic nesting 
strategies and compare their performance against known optimal solutions. Our heuristic 
algorithms choose an optimal defense for a particular budget scenario as an anchor point, 
and build nested defenses from it. The heuristic can either begin a nesting strategy from 
minimum, midrange or maximum budget values. We present three dimensional graphs to 
show the decision maker how an optimal defense differs from a heuristic nested defense 
in terms of system cost. 

We present five different methods for the analyst to assess how far the nested 
defense solution is from the optimal solution when parametric programming analysis is 
required for unknown budgetary parameters. Vector nonn and matrix norm methods are 
from linear algebra; optimality gap analysis is adapted from statistics; and minimax regret 
and equal likelihood analysis are from decision theory. In each method, the analyst is 
looking for the smallest possible measurement since the objective of the system is to 
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minimize cost. For the test network with uncertain budgets, the clear winner of nesting 
starting points is maximum defense and attack budgets. However, there is no guarantee 
that all of the measurement procedures contained will agree on the same starting point as 
closest to optimal. We define the best nested defense to be the set of defenses that is 
closest to the optimal non-nested solution over the set of unknown budget scenarios. Our 
example of suboptimal nesting demonstrates how our heuristic approaches may not 
produce the best set of nested defenses for a DAD minimum cost flow problem. 

In order to find the best possible nested defense, we develop a new parametric 
programming formulation of the DAD minimum cost flow problem that accepts 
uncertainty in the defense or attack budgets. This new formulation works to minimize the 
overall system cost by simultaneously considering all unknown budget scenarios. Our 
formulation adds a block of constraints to enforce monotonicity of defenses across all 
budget scenarios. Our parametric programming formulation can find the nested defense 
that is closest to optimal based on three different measurement criteria. We demonstrate 
parametric programming formulations based on the 1-norm, squared 2-nonn and infinity 
norm. We can conclude that our parametric programming formulation can generate the 
set of nested defenses that is as close as possible to the set of optimal non-nested 
solutions over all possible budget scenarios in terms of a vector norm measurement. 

Lastly, we briefly describe nested defenses for the DAD maximum flow problem. 
We formulate a DAD maximum flow model. Solution procedures for the DAD maximum 
flow model are analogous to those presented for the DAD minimum cost flow problem. 
We use a test network of Alderson et al. (2013) to describe nested defenses on simple 
DAD maximum flow network. We conclude that adding additional defenses to a DAD 
maximum flow network will not degrade network performance. 
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IV. DAD CONSTRAINED SHORTEST PATH PROBLEM 


A. PROBLEM DEFINITION 

1. Introduction 

The shortest path (SP) problem has been called “the simplest of all network flow 
problems” (Ahuja et ah, 1993, p. 6). Fulkerson and Harding (1977) introduced the idea of 
attacking segments of a network to the SP problem by maximizing the length of a 
minimum shortest path. Golden (1978) furthered Fulkerson’s work and used the term 
network interdiction problem. Wood (1993) showed that the shortest path network 
interdiction problem is NP-complete. Improvements to the algorithm for solving the 
shortest path network interdiction problem were described by Israeli and Wood (2002). 

The simple SP problem becomes the much more difficult constrained shortest 
path (CSP) problem when an additional budgetary side constraint is added, and the 
special network structure of the original problem can no longer be exploited (Ahuja et ah, 
1993, p. 599). Our research expands the complexity of the network interdiction problem 
by adding two new features. First, we expand the network interdiction problem to model 
constrained shortest paths. Second, we introduce the ability to defend segments of the 
network against attack. Even though the literature starts with and focuses on network 
flow problems, the algorithms in Alderson et al. (2011, 2014, & 2015) also apply to very 
general operator models, including those modeled as integer linear programming (ILP) 
problems. We picked CSP as the operator problem because it is a well understood 
specimen of an ILP that is almost a network flow problem. The addition of defenses to 
the network interdiction problem along with the addition of a side constraint creates the 
Defender-Attacker -Defender Constrained Shortest Path (DAD CSP) problem. 

The concept behind the DAD CSP model is similar to the general DAD model 
presented in Chapter I. For DAD CSP, our objective is to travel from source to 
destination at a minimum cost, and the additional budgetary constraint specifies that the 
total time to travel from source to destination must be within a time budget. The attacker 
desires to interdict some of the arcs of the network graph, limited by an attack budget. 
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Each attack increases the cost of traversing an arc by a fixed amount. The defender has 
the ability to prevent attacks on a subset of arcs in the network, based on a given defense 
budget. We do not consider adding new arcs as defenses in this chapter. Thus, the DAD 
CSP problem seeks to choose defenses to minimize the cost of the constrained shorted 
path resulting from a cost maximizing worst-case attack. 

We define the DAD CSP problem as follows. Given a network G = (N,A) with a 
prescribed start node 5, destination node t, arcs with costs cy and travel times %, and an 
overall time budget, T, the classical CSP problem seeks the least cost path from s to t 
such that the time expended on the path is no larger than T. The choice of arcs on the 
constrained shortest path is governed by binary variables (Y). This is the simplest version 
of the operator problem (4.1a), which we seek to embellish. If we add a distance penalty, 
qij, to each arc so that the length of an attacked arc (X) becomes Cy + qy, we obtain the 
attacker problem (4.1b). If we add the ability to protect a subset of arcs from an attack 
(W) constrained by a defense budget, we obtain the defender problem (4.1c). The 
constraint sets for defenses OP), attacks (S) and paths (Y) in (4.1a)-(4.1c) are similar to 
those in Chapter I, and are suppressed for clarity. The operator model constraint set in 
(4.1c) is dependent upon the values of defense variables, and is written as Y (W). 

min f(Y ), (4.1a) 

max min / (X, Y), (4. lb) 

min max min f(W,X,Y). (4.1c) 

ff'e'P XeE YeY(tr) 

The feasible region (Y (W)) is the same as Chapter I, except that it contains a 
single, additional side constraint limiting the time duration of any feasible path to a time 
budget (T), shown in Equation (4.Id). 

< 41d > 

(i,j)eA d&D 

The side constraint rescinds the network structure of the problem, and the path 
variables (Y) must then be treated explicitly as binary variables. Consequently, the 
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constraint set for the inner operator model (T (W)) does not allow for the direct 
substitution of continuous variables for the binary path decision variables (Y) as seen in 
Chapter 1. The formulation in (4.1c) is extremely difficult to solve. 

In order to relieve the difficulty in (4.1c), we begin by isolating the operator 
model by fixing the values of the defense variables (W) and attack variables (X) with the 
use of the hat notation ( A ) in (4.1 e). 

min f(W,X,Y). (4.1e) 

YgY(JV) 

Ahuja et al. (1993, pp. 599-605) shows that Lagrangian relaxation of a side 
constraint can be used to regain the network structure of a CSP problem. The resulting 
heuristic algorithm can be converted to a competitive optimal algorithm as shown in 
Carlyle, Royset and Wood (2008). 

We relax some of the constraints of the operator model (Y (W)) by incorporating 
them into a modified objective function with a Lagrange multiplier (p) that penalizes 
infeasibility. We use the tilde notation (~) to signify the modification of the objective 
function (f) and operator model constraint set (Y (W)) in Equation (4. If). Specifically, we 
use Y(IL)to represent the feasible region of a shortest path without the side constraint. 
We use f to represent the objective function with the penalized side constraint. 


L(W,X,//) = min f(W,X,Y,/u) = min f(W,X,Y) + /u 

7ef (W) Yg T(#) 


(i,j)<=A deD 


Y -T 

1 jd 1 


(4. If) 


We can solve the Lagrangian multiplier problem by choosing the value of the 
multiplier that maximizes the Lagrangian multiplier function (Z), as shown in (4.1 g) 
(Ahuja et al., 1993, p. 608). 


ma xL(W ,X,u). 

v>0 


(4-lg) 
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The maximization of the Lagrange multiplier function ( L ) can be accomplished 
various ways. One way is to iteratively update the value of the Lagrange multiplier (p) 
based on a subgradient calculation for a fixed defense (W) and attack (X). This is 
frequently coupled with a trust region method to force termination. See Ahuja et al. 
(1993, pp. 608-615) for a complete discussion. Since bounds of Lagrangian relaxation do 
not always converge, we employ a path enumeration technique of Carlyle, Royset and 
Wood (2008) to close the optimality gap. 

We incorporate the Lagrange multiplier function maximization of (4.1g) into the 
tri-level model to see the effect of the relaxation on the DAD CSP problem in (4.1h). 


min max max min f(W,X,Y,u ) 

We'Y XeE \_ ju>0 YeY(W) 


(4-lh) 


An alternative method to maximize the Lagrange multiplier function ( L ) is to 
focus on the bi-level attacker-defender (AD) model. For the AD version of CSP where 
defenses (W) are fixed, we take advantage of the side by side relationship of the two 
maximization operators in (4.1h). We can characterize the Lagrange multiplier (p) as a 
decision variable, and combine the maximization operators. We define the bi-level AD 
CSP Lagrange variable problem in (4.1 i) to use the Lagrange multiplier (p) as a decision 
variable. Essentially, the attacker gets to choose the arcs to attack (X) and the penalties 
(p) that the operator incurs for infeasibility of the side constraint. 

max min f(FV,X,Y,p). (4.1 i) 

XeE. YeY(tV) 

Since the relaxation of the side constraint allows us to treat the path choice 
variables (Y) as continuous variables, we can construct the dual formulation of the 
innermost minimization operator from (4.1i). The Lagrangian relaxation of bi-level AD 
CSP can be rewritten as a bi-level optimization model in (4. lj) by defining dual variables 
to represent the nodes ( n ) and arcs (a) of the network. We define (4. lj) as the Lagrange 
Variable dual ILPproblem. 
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max f{W,X,7r,a,/j). 

X,;r,aeH, 


(4-lj) 


We can incorporate the Lagrange variable dual ILP problem into the tri-level 
model to see the effect of the relaxation on the DAD CSP problem in (4. Ik). 

min max f(W,X,7r,a,u). (4.1k) 


Expression (4.1k) is a relaxation of the original DAD CSP problem of (4.1c). 
Therefore, (4.1k) is not guaranteed to produce optimal solutions. Decomposition of (4.1k) 
over a series of iterations produces an AD sub problem in (4.11) where the defense (W) is 
held constant. Decomposition produces a DAD master problem in (4.1m) where the 
attack (X), dual (a, n ) and Lagrange (p) variables are held constant. 

max f(W,X,7r,a,ju), (4.11) 

X,7r,ae E:, 

min f(W,X,7T,d,ju). (4.1m) 

Decomposition produces valid lower bounds on the original DAD CSP problem 
instance because it incorporates Lagrangian relaxation. The decomposition in (4.11) and 
(4.1m) produce heuristic solutions to DAD CSP instances more quickly than (4.1c) or 
(4.1h). We develop algorithms to incorporate the efficiencies within (4.1k) to produce 
optimal or provably near optimal solutions to DAD CSP instances more quickly than 
traditional nested decomposition techniques applied to (4.1c). 

Proposition 4—1. DAD CSP is NP-Hard. 

Proof of Proposition 4-1: When defense and attack budgets are restricted to zero 
units, DAD CSP reduces to the decision version of CSP, which is NP-Complete (Ahuja et 
ah, 1993, p. 798). Therefore, DAD CSP is NP-Hard. 

Note that if the defense budget is restricted to zero units and the side constraint 
time budget is not binding, then DAD CSP reduces to the network interdiction SP 
problem, the decision version of which is also NP-Complete (Wood, 1993). Evaluating a 
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feasible defense requires solving an NP-Complete AD problem. Finding the optimal 
defense adds an additional layer of complexity on top of an NP-Complete problem. It is 
unlikely that DAD CSP is even in NP. 

Over the last few years, algorithms for solving instances of DAD SP have 
appeared in the literature. Alderson et al. (2011) gives a higher-level explanation for 
decomposition techniques for the tri-level optimization model for DAD SP. Alderson et 
al. (2014) provides a tutorial on the mathematical details for solving the tri-level DAD SP 
optimization model with decomposition procedures. To the best of our knowledge, the 
existing literature does not address the tri-level DAD CSP optimization problem, nor any 
solution procedures specifically developed for it. 

The intent of this chapter is to investigate the application of Lagrangian relaxation 
to the DAD model for the CSP problem. We apply the nested decomposition methods 
found in Alderson et al. (2014 and 2015) to solve DAD CSP problem instances on small 
to medium sized test networks. We develop new heuristic methods to quickly find an 
estimated solution to DAD CSP instance using Lagrangian relaxation of the side 
constraint. We combine the heuristic methods with nested decomposition to obtain 
provably optimal solutions faster than using nested decomposition by itself. We apply our 
methods to a real-world problem to demonstrate scalability to large networks. 

2. Problem Formulation 

We define the sets, data, decision variables and the formulation of the DAD CSP 
problem in system of Equations (4.2), using a structure similar to Alderson et al. (2014). 

Defender-Attacker-Defender Constrained Shortest Path (DAD CSP) Problem: 

Nodes of the network. (Note: i and j are used as aliases for n) 

(Note: node 5 is start of network; node t is end of network) 

Arcs of the network 

Defense choices for an arc. (Note: do is an undefended arc) 

Iteration of inner decomposition 

Iteration of outer decomposition 


Sets: 
n eN 

(hj) e 4 
d e D 
ksK 
k'eK' 
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Data: 


h,,i 

1m 


time _budget 
attack _ budget 
defense _ budget 


Cost to travel on arc (i, j). 

Cost to defend arc (i, j) with defense d. 

Penalty cost to travel on attacked arc (i, j) with defense d. 

Cost to attack undirected edge (i, j). 

Time required to traverse arc (i, j). 

Maximum time allowed to traverse a path from node s to node t. 
Maximum budget for attacks on the network. 

Maximum budget for defenses for the network. 


Decision Variables: 


W ijd 1 if defense d is chosen for arc (i,j), 0 otherwise. 

Xy 1 if arc (i,j) is attacked, 0 otherwise. 

Xj d 1 if arc (i,j) with defense d is chosen for shortest path, 0 otherwise. 

Y. dk , 1 if arc (i,j) with defense d is chosen for path in outer iteration k 

Z AD Objective function value of AD inner master problem 

Z DAD Objective function value of DAD Outer Master Problem 


Additional Fixed Values of Decision Variables Used in Decomposition: 

X.. 1 when arc (i,j) is attacked in inner decomposition. 

X jjk , 1 when arc (i,j) is attacked in outer decomposition iteration k’. 

W ijd 1 when arc (i,j) is assigned defense d in outer decomposition. 

Y ijdk 1 when arc (i,j) with defense d is chosen for path in iteration k. 


DAD CSP Formulation: 


min max min 

W Y Y 



)-v 


(4.2a) 

A ij hjd 

(i,j)eA deD 





Subject to: 








-1 

if i - 



Z Z 3 * 

- Z Z r *=- 

0 

V/ e 

N\ s,t 

(4.2b) 

j:(i,j)eA deD 

j:(j,i)eA deD 

+1 

ifi = 

t 
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V(/, /) g A, d eO, 

(4.2c) 

I VV 

< attack _budget, 

(4.2d) 

£ IV 

(iJ)eA deD: 
d*d 0 

, ■ W ijd < defense_budget, 

(4.2e) 

I^=! 

deD 

V(i,j)eA, 

(4.2f) 

II V 

(i,j)eA deD 

Y ijd < time budget. 

(4.2g) 


V(/,./) g A,d eD, 

(4.2h) 

V e{o,i) 

V(/,y) e A, 

(4.2i) 

<Ve{0,l} 

V(/,y) g A,d g D. 

(4.2j) 


The objective function (4.2a) expresses the three levels of optimization. The 
innermost minimization operator seeks to minimize the cost of a path through the 
network after defenses and attacks are fixed. The middle maximization operator has the 
objective of maximizing the cost of the resulting path through the network, by attacking 
arcs for a given defense plan. The outer minimization operator chooses the optimal 
defense plan to minimize the worst-case cost over all attacks. Equation (4.2b) represents 
balance of flow equations for each node in the network, where one unit departs the start 
node (s), and one unit arrives at the terminal node (t). Equation (4.2c) only allows an 
edge to be considered for the path with a defense option chosen. Equation (4.2d) is a 
budget constraint on the attacker to ensure that the attacker can only attack as many edges 
as he or she can afford. Equation (4.2e) is a budget constraint on the defender which 
ensures the amount of network defense stays within a budget. Equation (4.2f) ensures 
each edge of the network can only have one defense option chosen. Equation (4.2g) is the 
“side constraint” that changes the SP problem to a CSP problem. Equation (4.2g) ensures 
the path chosen must have a total time less than the overall time budget. Equation (4.2g) 
destroys the special network structure of the DAD problem that had been exploited in 
previous chapters. Because of the side constraint, Equation (4.2h) must restrict the 
decision variable for path segments to binary values, which is the reason that the CSP 
problem is much more difficult than the SP problem. The binary decision variable 


138 



restriction present in Equation (4.2h) can be relaxed in the SP problem, but it cannot be 
relaxed in the CSP problem. Equations (4.2i) and (4.2j) enforce binary restrictions. 

At a minimum, we have two possible defense choices for each arc. Defense 
choices in our application either leave an arc undefended (do) or choose to defend an arc 
(di). Our development of DAD CSP is based on two defense choices. However, our 
formulation can support more than two defense choices. Note that we have to choose 
some defense for every arc, which includes no defense (do). In this formulation, it is 
technically possible to attack an arc that has been defended. But, we choose the penalty 
(q) for traversing a defended arc (di) to be zero units, which makes it unattractive to 
attack a defended arc. 

3. Regular Nested Decomposition Approach 

The only method in the literature available for solving CSP DAD in system of 
Equations (4.2) is to perform a nested decomposition that is somewhat similar to the 
Benders (1962) algorithm (Alderson et al. 2011 & 2014). The significant difference 
between our decomposition and Benders (1962) decomposition is that our sub problem 
contains discrete variables. Thus, our nested decomposition must make the repeated use 
of solution elimination constraints (SEC) to prevent cycling. For a discussion of anti¬ 
cycling in these algorithms, see Alderson et al. (2014). The nested decomposition of CSP 
DAD is detailed in system of Equations (4.3). The nested decomposition features an inner 
and outer decomposition, where the inner decomposition addresses the inner 
minimization of path variables (Y) and middle maximization of attack variables (X), and 
the outer decomposition takes the result of the inner decomposition and addresses the 
outer minimization of defense variables (W). The nested decomposition requires the 
introduction of new sets that govern the iterations of both inner and outer decomposition, 
and new variables representing paths for each iteration of outer decomposition. We use a 
hat ( A ) on a variable to represent a fixed value that is referenced during decomposition. 
We refer to this nested decomposition technique as regular nested decomposition in order 
to distinguish it from other methods that we will introduce later in the chapter. 
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The inner decomposition AD sub problem takes a fixed defense ( W ), a fixed 
attack (X ) and solves for the minimum cost path (Y) through the network. 

a. CSP Inner Decomposition AD Subproblem Formulation: 

min X S ( c n + <hjd ' )' Y ijd » ( 4 - 3a ) 

v* (i,j)&A deD 

Subject to: 




-1 if/ 

= X 



z z^- 

■ Z Z^= 

0 V/ 

e N \ s,t 

> 

9 

(4.3b) 

j:(i,j)eA deD 

j:(j,i)eA deD 

+1 if i 

V 

= t 



Z s 



V(/',y) e A,d gD, 

(4.3c) 

(iJ)eA 






Z Z','Y 

, < time _ budget, 



(4.3d) 

(i,j)eA deD 






Z Ztw + 

Z ZM*) 

>1 

V/cgK, 

(4.3e) 

( i,j)eA: deD 

(i,j)eA: deD 





4*=° 

%jdk =1 








V(/,/) eA,d g D. 

(4.3f) 


The objective function (4.3a) minimizes the cost of a shortest path based on fixed 
attacks to the network. Equation (4.3b) restates Equation (4.2b). Equation (4.3c) 
resembles Equation (4.2c), except the defense variables are now fixed values. Equation 
(4.3d) restates Equation (4.2g). Equation (4.3e) is a SEC to prevent cycling in the inner 
decomposition. Equation (4.3e) is a SEC that is only activated in inner decomposition 
iterations when a choice of path variables (Y) is repeated from a previous iteration. 
Equation (4.3f) restates (4.2h). 

The inner decomposition AD master problem takes a fixed defense (JV) and a list 
of fixed paths (7) for each iteration (K) to solve for the worst-case attack (X) that 
maximizes the length of the shortest path. During each iteration (K) of inner 

decomposition, the AD sub problem takes a set of fixed defense variables (W ) and fixed 
attack variables (X ) and determines a shortest path through the network. The choice of 
shortest path variables (Y) for the current iteration (K) become an input to the AD master 
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problem. The cost associated with the shortest path updates the inner decomposition 
lower bound if it is the highest cost of all iterations. 


b. CSP Inner Decomposition AD Master Problem Formulation: 


max Z AD , 

Zad-Xj 


(4.3g) 

Subject to: 



Zad — 2 {pij + # ijd ' Xy ) • Yy dk 

(i,j)eA deD 

\/k e K, 

(4.3h) 

r y -X. < attack_budget , 


(4.3i) 

£*«+ 1 

( ; a. (; A- 

Vk'eK, 

(4.3j) 

(l,J )GA. 

4*.=o V=i 



■^{0,1} 

V(/,y ) e A. 

(4.3k) 


The objective function (4.3g) and (4.3h) work together to form the inner master 
problem decomposition to maximize the cost of fixed shortest paths by the choice of 
attack variables (X). Equation (4.3i) restates Equation (4.2d). Equation (4.3j) is a SEC to 
prevent cycling in the outer decomposition. Equation (4.3j) is only activated in outer 
decomposition iterations when a choice of attack variables (X) is repeated from a 
previous iteration of outer decomposition. Equation (4.3k) restates Equation (4.2i). 

The AD master problem next detennines a choice of attack variables (X) to 
maximize the cost of the shortest path. Each iteration of the AD master problem 
represents an opportunity to update the inner decomposition upper bound. When the inner 
decomposition lower bound is updated, the attack associated with that iteration is saved 
as the best known attack. We refer to this set of best attack variable values as Xstar (X*). 
The best attack result is then input to the DAD outer decomposition master problem. The 
cost of the best attack updates the upper bound of the outer decomposition. 

The outer decomposition master problem takes a list of fixed attacks over a series 
of outer iterations ( X k ,) and solves for the best defense (W) and the resulting path for 
each outer iteration (Tt ) to minimize the shortest path for the original problem instance. 
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c. Outer Decomposition DAD Master Problem Formulation: 


7 min Z DAD , 

z DAD » W ijdk ' >* ijdk ' 

Subject to: 



(4.31) 

^ DAD — Z Z( C '# + tfijd ' ^ijk ' ) ' 
(i,j)eA cIgD 

V- Vk'eK, 

(4.3m) 


-1 if/ = s 



E Ev- E E 7 *»- = 

j:(i,j)eA deD j:(j,i)eAdeD 

0 V/ eN\ s,t 

+1 if i = t 

> 

5 

(4.3n) 

VI 

V(/,./) e 

e A,d e D,k' e K, 

(4.3o) 

E^=! 

d&D 

V(/,y) e A, 

(4.3p) 

Z Z l ij ■ Y ^' - time _buclget 

( i,j)eA deD 

\/k' <eK, 

(4.3q) 

iU.e{ai} 

V(/, j) e A,d eD,k' eK, 

(4.3r) 

e{0,l} 

V(/,y ) e A, d <e D. 

(4.3s) 


The objective function (4.31) and (4.3m) work together to form the outer 
decomposition master problem to minimize the cost of shortest paths with fixed attacks 
by the choice of defense and path variables. Equation (4.3n) and (4.3o) are similar to 
Equations (4.2b) and (4.2c), except that iteration subscripts “k” have been added to the 
path variables for each round of outer decomposition. Equation (4.3p) restates Equation 
(4.2f). Equations (4.3q) and (4.3r) are similar to Equations (4.2g) and (4.2i), respectively, 
but the addition of subscript “k” allows for different path variables for each iteration of 
outer decomposition. Equation (4.3s) restates Equation (4.2j). 

The outer decomposition works through a set of iterations (K’) until a stopping 
criterion is reached. For each outer decomposition iteration, the best attack (X) from the 
inner decomposition is used as a fixed input to update an outer lower bound. The outer 
decomposition then determines a choice of defense variables (W) to create a shortest 
path. The shortest path variables (Y) are dependent upon a fixed attack (X) for each outer 
iteration (K’). The outer decomposition lower bound may be updated every time defense 
variables (W) find a shorter (lower cost) path. When the outer decomposition lower 
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bound changes, the values of the defense variables used in that iteration are saved as the 
best defense. We refer to the best defense as W star (W*). The outer decomposition 
continues until the outer upper and lower bounds match. The result of the outer 
decomposition is the choice of defenses (W). 

The algorithm for implementing regular nested decomposition of DAD CSP is 
similar to the DAD minimum cost flow problem presented in Chapter I. The only 
significant algorithmic difference between regular nested decomposition of DAD CSP vs. 
DAD minimum cost flow that of Chapter I is that the operator model decision variables 
(Y) are now restricted to binary values. This difference means that SEC that were present 
in outer decomposition must now also appear in the inner decomposition to prevent 
cycling. We present the extra SEC in (4.3e). The algorithm of Chapter I can be adapted 
mutatis mutandis for the decomposition of the DAD CSP problem in system of Equations 
(4.3). Regular nested decomposition of system of Equations (4.3) can solve small to 
medium sized instances of DAD CSP optimally. Large-scale DAD CSP problem 
instances may struggle to find optimal solutions in a reasonable amount of time. 

The number of binary variables in a DAD CSP problem instance can be quite 
large, since the binary decision variables for path (Y), attack (X) and defense (W) apply 
to every arc in the network. The total number of binary variables in a problem is three 
times the cardinality of the arc set. If we let “m” represent the number of arcs in the 
network, then the total number of binary variables in the DAD CSP problem is 3m, as 
shown in Equation (4.3t). Later sections of the chapter are devoted to finding methods 
that reduce the number of binary variables in the DAD CSP problem by taking into 
account the structure of the side constraint. 

DAD CSP total binary decision variables = 

m defense variables + m attack variables + m path choice variables = 3 m ^ 3 t) 

B. ARTIFICIAL TEST NETWORKS 

We created two networks for testing the DAD CSP problem. The first is a small 
instance derived from Ahuja et al. (1993) for testing purposes and to understand the 
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sequence of solutions examined by our algorithms. The second test instance is a medium¬ 
sized mesh-like network with random data to test the limits of computation. 

The first test network is a small six node textbook example shown in Figure 44 
(Ahuja et al., 1993, p. 599). Each directed arc has two associated data values. The first 
value is the cost for traveling on the arc and the second value is the time required to 
traverse the arc. This network was chosen because it has been studied in the literature and 
for characteristics that will be used in a later section. The starting node is node 1 and the 
tenninal node is node 6. The shortest path in the network is to traverse the arcs (1,2), (2, 
4), (4, 6), with a cost of three units and usage of 18 time units. In order to make the side 
constraint meaningful, we must choose a time budget less than 18 units. A time budget of 
14 units is used with this network, which makes the original shortest path infeasible. 



Figure 44. Six Node Test Network. Adapted from Ahuja et al. (1993, p. 599) 

The second test network is a medium size grid network based on the CSP problem 
of Royset, Carlyle and Wood (2009). It is a grid with 50 nodes and 124 directed arcs, 
shown in Figure 45. This network is acyclic since each of the directed arcs points from 
left to right. The values of the arc cost and time are random integers uniformly distributed 
between one and ten, inclusive. The random values are obtained from the random integer 
generator found in Python programming software version 2.7 with a seed value of one. 
The arc costs and time values are not shown in Figure 45 for the sake of clarity. The 
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randomly assigned cost and time values for the arcs for the 50 node grid network are in 
Table 29. All of our tests are based on the costs and times in Table 29. 



Figure 45. 50 Node Test Network 
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Table 29. Arc Cost and Time Values for 50 Node Test Network 


(hj) 

c ij 

6/ 

(hj) 

c v 

6/ 

(hj) 

c ‘i 

6/ 

(hj) 

c ii 

6/ 

1,2 

2 

9 

14,23 

8 

7 

1,26 

1 

1 

36,37 

9 

10 

2,3 

8 

3 

15,8 

4 

5 

26,19 

8 

3 

36,45 

8 

6 

2,11 

5 

5 

15,16 

6 

8 

26,27 

2 

7 

37,30 

4 

4 

3,4 
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The shortest cost path in this network has a cost of 17 distance units and a usage 

of 43 time units. Conversely, the shortest time path in this network uses 18 time units 

with cost of 42 distance units. Note that the shortest path cost of 17 distance units is much 

different than the quickest path cost of 42 distance units. Figure 46 plots of the shortest 

cost path with a solid pink line and the shortest time path with a brown dashed line for the 
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50 node grid test network. Our goal for testing DAD CSP with the 50 node test network 
will be to minimize cost with a time budget as the side constraint. In our tests, we 
minimize cost and use a side constraint time budget of 40 units with this network so that 
the side constraint is meaningful. Note that a time budget of 40 time units renders the 
unconstrained shortest cost path infeasible because that path requires 43 time units. There 
are many non-shortest paths with total time values below 40 units. We choose 40 units 
because a reasonable number of feasible paths may be considered by the defender and 
attacker, and it also forces the side constraint to be binding. 



Figure 46. Shortest Cost and Shortest Time Paths for 50 Node Test Network 

Our tests with these networks were conducted on Windows 7 computers with dual 
Xeon E-7 18 core processors operating at 2.3 GHz, with 128 GB of RAM and solid state 
hard drives. We use the General Algebraic Modeling System (GAMS) modeling software 
version 24.5 (GAMS, 2016) with the Industrial Business Machines (IBM) CPLEX solver 
version 12.6 (IBM, 2016). The algorithmic decomposition improvements described in 
later sections of this chapter are implemented with Python programming language 
version 2.7 interacting with the GAMS optimization software. 
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For both test networks we impose a penalty cost (q) of 25 units for traveling on an 
undefended (do) and attacked arc in the shortest path. A penalty of 25 units represents 2.5 
times the maximum cost of any arc in the 50 node test network. The penalty cost (q) is 
zero units for traveling on undefended arcs that are not attacked. Furthermore, the penalty 
cost (q) is zero units for traveling on a defended arc, regardless of whether it is attacked 
or not. Zero penalty (q) for travel on a defended arc (di) eliminates the incentive for an 
attack to occur on a defended arc. We choose the cost of attacking any arc to be one unit 
of attack budget. We choose the cost of defending any arc to be one unit of defense 
budget. We set the tolerances for inner and outer decompositions to be less than one unit, 
which forces our algorithms to converge on the optimal solution. We revisit setting 
solution tolerances later in the chapter when we test a large real world network, for which 
optimal solutions are not practical. 

The regular nested decomposition in system of Equations (4.3) can solve 
instances of DAD CSP for both test networks. We observe from both test networks that 
the solution time for “regular” nested decomposition of DAD CSP increases as the size of 
the defense and attack budgets increase. The size of the network in tenns of the number 
of nodes and arcs also plays a significant role, with larger networks taking longer time to 
solve than smaller networks. The 50 node grid test network shows examples where the 
time to obtain a solution to the DAD CSP problem becomes longer as the budget scenario 
increases. Figure 47 plots the amount of solution time required in nested decomposition 
for various defense and attack budget scenarios on the 50 node grid test network. 
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DAD CSP Nested Decomposition Solution Times 



Figure 47. Nested Decomposition Solution Times in 50 Node Test Network 

We can see clear evidence in Figure 47 that the nested decomposition solution 
begins to take a larger amount of time as the defense and attack budgets increase. With 
the 50 node grid test network, problem instances with an attack budget of seven units 
have a dramatic increase in solution time than instances with an attack budget of six 
units. A similar, but less dramatic, effect occurs when changing the problem instance 
attack budget from six to five units. Smaller attack budgets of four units or less appear to 
have a negligible effect on the time to obtain a solution. Additionally, increasing the 
defense and attack budgets to eight units appears to be a tipping point in the ability for 
our regular nested decomposition implementation in GAMS optimization software to find 
a solution to DAD CSP. We found that the DAD CSP problem instance for the 50 node 
test network with defense and attack budgets of eight units can take over 24 hours to 
compute without convergence on an optimal solution in regular nested decomposition. 
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This chapter explores methods to either estimate or solve DAD CSP problem 
instances faster than the regular nested decomposition technique. The challenge is to find 
an algorithm improvement to regular nested decomposition that can speed up the amount 
of time to get an answer to a DAD CSP problem instance. 

C. LAGRANGIAN RELAXATION OF OPERATOR MODEL 

In this section, we seek to transform the formulation of DAD CSP to reduce the 
number of binary decision variables in the problem. The reduction in the number of 
binary decision variables may improve the ability of the problem to solve more quickly. 
We focus on the operator model, and relax the path choice variables (Y) to continuous 
variables through the technique of Lagrangian relaxation. 

Lagrangian relaxation can be used to transform a difficult integer or binary 
programming problem into a simpler model by relaxing the difficult constraints and 
adding a tenn in the objective to penalize infeasibility (Fisher, 1981). The DAD CSP 
problem is a difficult binary program to solve because the side constraint time budget 
eliminates the special network structure of the problem. Fisher states that moving the side 
constraint into the objective function “produces a Lagrangian problem that is easy to 
solve and whose optimal value is a lower bound (for minimization problems) on the 
optimal value of the original problem” (1981, p. 1). We use the technique of Lagrangian 
relaxation described in Ahuja et al. (1993, pp. 599-614) to move the side constraint time 
budget of Equation (4.2g) into the objective function. We introduce a Lagrange multiplier 
(p) that is used as a parameter to penalize violation of the side constraint budget. We find 
the best value for the Lagrange multiplier (p) through a series of iterations of a new inner 
sub problem. We update the value of the Lagrange multiplier (p) after each iteration. 


DAD CSP Operator Model with Lagrangian Relaxation: 

Additional Sets 

p e P Iterations of Lagrangian relaxation (Note: |P| = 25 for our test networks) 
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Additional Parameters 


ji/ p Value of Lagrange multiplier in iteration p. 

Additional Decision Variables 

Z p Objective function value during Lagrangian relaxation iteration /. 


Formulation 


Z = min 
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(4.4e) 


Equation (4.4a) shows the time budget constraint moved to the objective function 
with Lagrange multiplier (p). Equations (4.4b) and (4.4c) are the same as (4.3b) and 
(4.3c). Equation (4.4d) is very different from its counterpart Equation (4.3f) because the 
time budget constraint has been moved to the objective function. The network structure 
of the problem has been regained, and the path variables (Y) may be treated as 
continuous variables. The network structure only allows integer solutions to occur, even 
though continuous variables are permitted. Equation (4.4e) restates Equation (4.3e). 

The classic Lagrangian relaxation iterative model selects values for the Lagrange 
multiplier (p) in order to maximize the lower bound of the operator model, as discussed 
in the introduction section. The solution to the Lagrangian relaxation of the inner sub 
problem of Equations (4.4a-e) occurs over a series of iterations (P) until a stopping 
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criterion is reached. The Lagrange multiplier (p) begins with a value of zero for the first 
iteration. The multiplier is updated to a new value for subsequent iterations. The update 
of the Lagrange multiplier (p) is essentially an adaptation of “Newton’s method” for 
solving systems of equations in sub gradient optimization (Ahuja et ah, 1993, p. 612). 


Lagrangian Relaxation Iterative Model: 


Additional Parameters: 

Lag _ UB Upper bound achieved in iterative Lagrangian relaxation 
V p Subgradient of the remaining time budget on a path in iteration /. 

A Scalar multiplier for Lagrangian bounding heuristic in iteration /. 

6 Step length for update amount to Lagrange multiplier in next iteration. 


Formulation: 


L(W = Z p . 

(4.4f) 
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We have applied the derivation of Ahuja et al. (1993) for Equations (4.4f-j) to 
update the Lagrange multiplier. Equation (4.4f) identifies the Lagrangian multiplier 
function ( L ), as defined in the introduction section. The objective function (4.4g) 
maximizes the Lagrangian multiplier function ( L ) through an iterative search for the best 
value of the multiplier (p). Each increase in the value of the iterated solution to the 
system of Equations (4.4) updates the lower bound on the Lagrangian relaxation of the 
problem. If the solution of the current iteration of system of Equations (4.4) also satisfies 
the original side constraint of Equation (4.2g), then the upper bound of the Lagrangian 
relaxation can be updated. Equation (4.4h) represents the difference between the amount 
of time used on the shortest path and the time budget in the side constraint. Ahuja et al. 
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(1993) refer to this difference as a subgradient norm to update the Lagrange multiplier. 
After the inner decomposition sub problem is solved, we take the final values of the 
shortest path variables (Y) as fixed values to compute the sub gradient norm. If the sub 
gradient norm is positive, then the side constraint is violated. Likewise, if the sub 
gradient nonn is negative, then the side constraint holds. Equation (4i) represents a step 
length for how much the value of the Lagrangian multiplier should be updated in the next 
iteration of Lagrangian relaxation. Equation (4.4i) approximates the step size of the 
change of the Lagrange multiplier (p) (Fisher, 1981). Equation (4.4i) is a heuristic 
approach to Newton’s method because the actual optimal value of the Lagrangian 
relaxation is not known in advance (Ahuja et ah, 1993, p. 613). The scalar multiplier (X) 
in the numerator of Equation (4.4i) can be any value, and we choose to start with 0.8 as 
suggested by Ahuja et al. (1993). The value of the scalar multiplier is reduced in half if 
the lower bound is not improved over three iterations of relaxation. In the heuristic, the 
current upper bound represents the best found feasible solution that does not violate the 
time budget. Equation (4.4j) is the update mechanism for the Lagrange multiplier (p). 
Equation (4.4j) takes the positive part of the previous Lagrange multiplier plus the 
product of the step length and sub gradient norm, so that the value of the Lagrange 
multiplier is never negative. 

Since no standard stopping criterion exists for the heuristic of Equation (4.4i), we 
tenninate the updating of the Lagrange multiplier after 25 iterations if the upper and 
lower bounds do not match (Ahuja et al. 1993, p. 613). The choice of 25 iterations is 
arbitrary, but we observe in every case that almost no change to the solution occurs past 
this point. The Lagrangian upper bound is updated whenever the calculation in Equation 
(4.4h) yields a negative number, and the shortest path cost is lower than the current upper 
bound. The Lagrangian lower bound is updated when the shortest path cost is larger than 
all other iterations, regardless of the value of Equation (4.4h). 
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D. IMPROVEMENTS TO THE INNER DECOMPOSITION ALGORITHM 


This section finds algorithmic improvements to the inner decomposition of DAD 
CSP with Lagrangian relaxation. Inner decomposition is based on fixed values of the 

defense variables (W). 

1. Lagrange Variable Problem Transformation 

We devise a novel approach to calculate the best value of the Lagrange multiplier 
(p) during inner AD decomposition. Our innovative approach eliminates the iterative 
process to determine the value of the Lagrange multiplier (p) and decreases the amount of 
time needed to obtain a lower bound on the problem solution. Traditionally, the Lagrange 
multiplier (p) is found via the iterative process shown in the previous section. 

We change the Lagrange multiplier (p) from a parameter that is determined 
iteratively, to a decision variable to be maximized. Another way to think about this 
change is to imagine that the attacker of the network gets to pick both the worst-case 
attack to the network as well as the value of the Lagrange multiplier (p) that will be used 
by the defender. The attacker can choose a value of the Lagrange multiplier (p) that 
maximizes the effect of his worst-case attack on the operation of the network. We call 
this change to the AD CSP problem the Lagrange Variable AD CSP problem. 

Because Lagrangian relaxation is incorporated into the problem formulation, the 
solution obtained can be infeasible for the original side constraint. Note that the time 
budget is the side constraint in our formulation. The infeasibility possibility means that 
the Lagrange variable problem should not be used by itself to solve a problem instance, 
since the solution it finds may be either infeasible or suboptimal. However, the objective 
value obtained via Lagrangian relaxation is a valid lower bound on the original problem 
solution due to weak duality theory (Fisher, 1981). Thus, the Lagrange Variable problem 
can be an incremental step in a larger algorithm to find an optimal solution. We develop 
other techniques later in the chapter to obtain convergence on a final optimal feasible 
solution to the original problem instance. We formulate both the primal and dual versions 
of the AD CSP Lagrange Variable problem. A dual exists for the inner minimization of 

the path choice variables (Y) because of the Lagrangian relaxation. 
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In our formulation of the AD CSP problem Lagrange variable problem, we 
include dual variables on the constraints; these are the dual variables for any version of 
the Lagrangian relaxation with a fixed defense (W) and fixed attack (X), since the 
resulting problem is simply a shortest path linear program. These variables facilitate the 
formulation of a dual-ILP version of the AD CSP Lagrange variable primal problem. 

AD CSP Lagrange Variable Primal Problem: 

Additional Decision Variables: 

ju Lagrange multiplier variable for violating the time budget 

7Z t Dual variable associated with network node i. 

a jjd Dual variable associated with network arc (i,j) with defense d. 


Formulation: 


max min 
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(4.5a) 


(4.5b) 

(4.5c) 

(4.5d) 

(4.5e) 

(4.5f) 

(4.5g) 


We reformulate the inner AD model in (4.5a) with Lagrangian relaxation of the 

time constraint to the objective function. The noticeable change in (4.5a) is that the 

Lagrange multiplier (p) is now a decision variable instead of a data parameter. Equation 

(4.5b) are the usual balance of flow constraints, and we introduce the dual variable (-7t) to 

account for the activity at each node in the network. We introduce dual variables with a 

negative value to keep with the dual variable convention used in other chapters. Equation 
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(4.5c) introduces the dual variable (-a) to account for activity on each arc of the network. 
Equation (4.5d) is the unchanged restriction on the number of attacks. Equation (4.5e) 
allows path variables (Y) to be continuous because of the special network structure of the 
problem created by relaxing the time constraint to the objective function. Equation (4.5g) 
restricts the Lagrangian multiplier decision variable to positive values. 

Since the inner minimization of AD CSP Lagrange Variable primal problem 
involves a continuous variable (Y), we are able to solve it in at least two different ways. 
We can solve AD CSP Lagrange variable problem with Benders (1962) decomposition. 
A more attractive option would be to take the dual of the inner minimization problem and 
reduce the CSP AD Lagrange Variable problem from bi-level maxi-min optimization to a 
single level maximization problem. The advantage of taking the dual of the inner 
minimization is that the single-level maximization problem frequently can be solved 
more quickly than using Benders (1962) decomposition. This is the case for almost every 
instance of our problem that we discuss. 


AD CSP Lagrange Variable Dual ILP Problem Formulation: 


max 



-1 if i = s 



-I- 

0 V/ e N\ s,t 

>-7ti 

- Z 

ieN 

+1 if i = t 


(i,j)e.A cIgD 


Subject to: 


ju ■ time_budget, 


(4.5h) 


+Xj ~a ijd <c tj +q ijd -X + J u-t ij V(/,y) g A,d&D, (4.5i) 

^ n -X < attack_budget, (4.5j) 

n i unrestricted Vi e N, (4.5k) 

(4.51) 

-ct jd > 0 V(/,y ) g A,d g D, (4.5m) 

Xy&i 0,1} V(/,y) g A, (4.5n) 

// > 0. (4.5o) 


Expression (4.5h) is the single level maximization of the dual integer linear 
program (ILP). The first summation in (4.5h) has only one nonzero tenn (7i t ). Equation 


(4.5i) is the dual equation for each arc in the network. Equation (4.5j) is unchanged from 
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the primal problem. Equation (4.5k) and (4.51) define the restrictions on the node dual 
variables, and anchors the start node to a value of zero. Equation (4.5m) ensures the arc 
variables are non-negative. Equations (4.5n-o) are unchanged from the primal problem. 

The AD CSP Lagrange variable dual ILP problem is a mixed integer program that 
can be solved in one invocation of optimization software. The useful result of the AD 
CSP Lagrange variable dual ILP is the values of the attack variables (X) and the objective 
function value. The optimal values of the dual node and arc variables (71 and a) are not of 
particular concern. However, there is no guarantee that the dual variables will be 
associated with a feasible path that satisfies the side constraint time budget. The Lagrange 
variable relaxation allows the time budget to be violated, which would permit solutions 
that are infeasible for the original problem instance. 

We use the dual-ILP formulation for the remainder of the chapter because it 
avoids the confusion resulting from presenting a nested decomposition algorithm. In 
practice, we observe the dual-ILP is faster than decomposition of the AD CSP Lagrange 
variable primal problem on our test network problem instances. However, if Benders 
(1962) decomposition would be significantly faster than solving the dual-ILP for other 
problem instances, then it could be easily incorporated into our algorithm without a 
change to the theoretical results. 

2. Path Enumeration Closes Lagrangian Relaxation Optimality Gap 

When we choose to perform iteration to find the best value for the Lagrange 
multiplier (p) in the relaxed operator model, we must address the issue of convergence. 
Lagrangian relaxation is not guaranteed to converge on an optimal solution. For example, 
Lagrangian relaxation of the CSP for the six node test network does not converge on an 
optimal solution when the time budget is 14 units as discussed in Ahuja et al. (1993, pp. 
608-614). We require a method to obtain the optimal constrained shortest path when the 
Lagrangian relaxation bounds cannot agree. We employ a recursive path enumeration 
algorithm to close the gap between the Lagrangian upper and lower bounds, as described 
in Carlyle et al. (2008). We enumerate all of the time budget feasible paths that exist with 
costs between the Lagrangian upper and lower bounds with a recursive depth first search 
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network algorithm. Carlyle et al. (2008) show how this technique can be applied to 
medium and large size networks. The depth first search path enumeration algorithm we 
implement is adapted from Python Software Foundation (2003). Pseudo-code for the path 
enumeration algorithm is in the Appendix. 

3. Multi-cut Inputs to AD Inner Master Problem 

Each iteration of inner decomposition of the AD CSP problem involves finding 
the single best feasible path for a fixed defense plan in the inner sub problem. That path is 
attacked in the inner decomposition AD master problem. Inner decomposition could be 
done more quickly if multiple feasible short paths were fed to the master problem instead 
of just one path at a time. When the Lagrangian relaxation of the inner AD sub problem is 
iterated and the Lagrangian bounds do not match, there is an opportunity to find multiple 
feasible paths to close the Lagrangian optimality gap. The previous section described 
how path enumeration is used to close the gap between the Lagrangian upper and lower 
bounds of the relaxation of the AD sub problem by finding the shortest feasible path that 
exists between the Lagrangian upper and lower bounds. But, path enumeration also 
generates all of the feasible paths that have a cost between the Lagrangian upper and 
lower bounds of the relaxed AD inner sub problem. Instead of only utilizing the shortest 
cost path in between the Lagrangian upper and lower bounds found in the inner sub 
problem, we can utilize any subset of the feasible paths generated by the path 
enumeration algorithm in an attempt to reduce the number of iterations in the inner AD 
sub problem. Each feasible path generated through the path enumeration algorithm 
becomes an input cut to the inner decomposition AD master problem. Our use of more 
than one path per iteration as input cuts to the AD master problem are called multi-cuts. 

In order to implement multi-cuts into the path enumeration algorithm, we only 
need to make one change in the final step of the path enumeration algorithm: 

Return all time budget feasible paths with their associated costs. 

This change means the CSP with Lagrangian relaxation inner AD master problem 
receives many feasible paths as inputs during an iteration. All feasible paths can now be 
given as input cuts to the AD master problem. 
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However, the use of multi-cuts does have a shortcoming. In large networks, it 
may be possible that an enormous number of feasible paths exist with costs that are 
between the Lagrangian upper and lower bounds. If the upper and lower bound gap is 
significantly large, an enormous amount of paths could become input cuts. We do not 
recommend the use of all multi-cuts on large networks since the constraint set could 
become prohibitively large. Instead, an analyst could limit the size of the constraint set by 
selecting only small number of multi-cuts to pass to the master problem. 

Another criticism of the use of multi-cuts as inputs to the inner AD master 
problem is that using all feasible paths at once could generate some superfluous cuts in 
the AD master problem that do not influence the choice of the optimal attack solution. A 
rebuttal to this criticism is that it is also possible that some relevant cuts that would have 
been found in later iterations of inner decomposition may be discovered in earlier inner 
iterations because of the path enumeration routine. Therefore, we believe the benefit of 
finding relevant cuts earlier than normal through path enumeration outweighs the 
possibility of including some useless path cuts in the inner AD master problem. 

Consider the six node test network. In this example, we assume zero defense 
budget, so no arcs are defended. We assume an attack budget of one unit, so only one arc 
may be attacked. We assume a time budget of 14 units. Next, we perform decomposition 
to obtain the best attack and the resulting shortest cost path subject to the time budget. 

Lagrangian relaxation with path enumeration on the six node test network will 
take three iterations to find the worst-case attack and shortest path cost. The details of 
each iteration of Lagrangian relaxation with path enumeration are shown in Table 30. 
Figure 48 shows the final results of each iteration implemented on the test network. In 
Figure 48, each iteration is shown, starting in the top left. The final attack is shown with a 
red “X” and the shortest path chosen is a blue line for each iteration. The lower bound is 
obtained by the cost of the path with the initial attack, and the upper bound is obtained by 
the cost of the path with the final attack. 
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Table 30. Lagrangian Relaxation and Path Enumeration on Test Network 


Iteration 

Initial 

Attack 

Shortest Path 

Final 

Attack 

AD Upper 
Bound 

AD Lower 
Bound 

1 

None 

(1,3), (3,2), (2,4), (4,6) 

(1,3) 

38 

13 

2 

(1,3) 

(1,2), (2,4), (4,5), (5,6) 

(2,4) 

38 

14 

3 

(2,4) 

(1,3), (3,2), (2,5), (5,6) 

(2,4) 

15 

15 





Third Iteration 

Figure 48. Lagrangian Relaxation and Path Enumeration on Test Network 

Next, we examine the effect of introducing multi-cuts on the six node test 
network. The details of each iteration of Lagrangian relaxation with multi-cut path 
enumeration are shown in Table 31. Figure 49 shows the final results of each iteration 
implemented on the test network. In Figure 49, the first and second iterations are shown 
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from left to right. In the first iteration, the three feasible paths obtained from enumeration 
are shown with a solid blue line, a short dashed purple line, and a longer dashed orange 
line. The final attack based on all multi-cuts is shown with a red “X.” The second 
iteration only has one feasible path remaining. 


Table 31. Multi-cut Algorithm Improvement on Six Node Test Network 


Iteration 

Initial 

Attack 

Feasible Paths 

Final 

Attack 

AD Upper 
Bound 

AD Lower 
Bound 

1 

None 

(1,3), (3,2), (2,4), (4,6) 

(1.2) , (2,4), (4,5), (5,6) 

(1.3) , (3,2), (2,5), (5,6) 

(2,4) 

15 

13 

2 

(2,4) 

(1,3), (3,2), (2,5), (5,6) 

(2,4) 

15 

15 



(a) First Iteration (b) Second Iteration 

Figure 49. Multi-cut Algorithm Improvement on Six Node Test Network 

The beneficial result of the inclusion of multi-cuts on the example problem 
instance is the number of iterations required to find the solution to the inner AD 
decomposition is reduced. The first iteration is able to enumerate three feasible paths 
before an attack is determined by the master problem. The worst-case attack can only 
affect two of the three feasible paths. When comparing the first iteration of the multi-cuts 
improvement with the three iterations of inner decomposition without the multi-cuts 
improvement, it can be seen that all feasible paths are obtained in one step with multi¬ 
cuts, and in this case, no superfluous paths were created. The multi-cuts improvement 
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eliminated the need to perform Lagrangian relaxation three times in order to obtain the 
three relevant paths for the AD master problem. There is only one feasible path found by 
enumeration in the second iteration because the other feasible paths from the first 
iteration are excluded. The penalty (q) imposed by the initial attack raises the cost of arc 
(2, 4) by an additional 25 units. The penalized cost of the arc results in paths that are 
more expensive than the upper bound. 

E. RELAXATION IN INNER AND OUTER DECOMPOSITION 

The Lagrange variable dual ILP problem of (4.5h-o) can be implemented into the 
AD inner decomposition in two different ways. The most powerful application of the 
Lagrange variable dual ILP problem is to completely replace AD inner decomposition 
with the Lagrange variable dual problem. Notice that both the Lagrange variable dual ILP 
problem and regular AD inner decomposition produce an attack (X) to provide as input to 
the outer decomposition. Regular inner decomposition can produce an optimal attack, but 
the Lagrange variable problem usually can produce an attack that is fairly close to 
optimal. There is no guarantee of the quality of the attack found by the Lagrange Variable 
dual ILP problem. Since optimal attacks are not found, this application is a heuristic 
approach. But, as we will show, the savings in computation time of not performing inner 
decomposition are quite dramatic. 

A second application of the Lagrange variable dual ILP is as a warm start for the 
combination of the iterative Lagrangian relaxation operator model with path enumeration. 
In this second application, we use the fact that each round of inner decomposition begins 
with a starting point of no fixed attacks. Decomposition works by constructing attacks 
one at a time until the optimal attack is found. The Lagrange variable dual ILP problem 
can be used to find an initial attack that is usually fairly close to optimal. This initial 
attack from the Lagrange variable problem can then be used as a starting fixed attack (X) 
for Lagrangian relaxation of the operator model. The result is usually fewer inner 
decomposition iterations because the starting point attack is close to the optimal attack. 

The path enumeration algorithm terminates with the constrained shortest path. 
The associated cost of the constrained shortest path is used to update the inner 
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decomposition lower bound. The values of the shortest path variables (Y) are fixed and 
supplied as input to the AD master problem. 

The AD inner master problem used in conjunction with the operator model 
Lagrangian relaxation is unchanged from (3g-k). Each iteration of the AD master 
problem represents an opportunity to update the inner decomposition upper bound. When 
the inner decomposition lower bound is updated, the attack associated with that iteration 
is saved as the best known attack. We refer to this set of best attack variable values as X 
star (X*). Also, the value of the Lagrange multiplier from the AD sub problem used in 
this iteration is saved as the best known Lagrange multiplier. We refer to this best known 
value of the Lagrange multiplier as mu star (p*). Pseudo-code for the implementation of 
the Lagrangian relaxation and path enumeration as the AD inner decomposition is 
presented in the appendix. 

Either of the two approaches for inner decomposition can serve as a sub problem 
for the outer decomposition master problem. The outer decomposition master problem of 
DAD CSP with Lagrangian relaxation features the minimization of both binary defense 
variables (W) and path variables (Y). We use Lagrangian relaxation again on the outer 
decomposition master problem by moving the time budget constraint to the objective 
function. This transfonnation again restores the special network structure of the problem 
and allows us to treat the path variables (Y) as continuous variables. The Lagrange 
multiplier (p) is necessary to regain the network structure of the outer master problem, 
and it can be different for each iteration of outer decomposition (k’). However, we do not 
treat the Lagrange multiplier (p) as neither a decision variable nor an iterated value in the 
relaxed outer master problem. Instead, we choose to import the value of the Lagrange 
multiplier (p) that was obtained from inner decomposition. We use the hat symbol ( A ) to 
denote the Lagrange multiplier is a fixed value in the relaxed DAD outer master problem. 

DAD CSP with Lagrangian Relaxation Outer Master Problem: 

Additional Parameter: 

ju k , Lagrange multiplier during iteration k ’ of outer decomposition. 

(Note: Obtained from inner decomposition) 
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Formulation: 


min Z DAD , 

W tJd ,Y m . 

Subject to: 


(4-5p) 


7 > 

^DAD — 


E E (O/tf + dijd ' 4’ ) ' I + At' 

( i,j)eA deD 

-1 if/ 

E Ev- E Ev = 0 Vi eAr ' s >' 

j:(i,j)eAdeD j:(j,i)eAdeD +1 if i — t 

E E h ijd -W ijd < defense_budget, 

( i,j)eA deD : 
d*d Q 

Y < W 

1 ijdk ' - rr ijd 

E^=i 

deD 

r m . s o 

»:, a s{o,i} 


(y ^ ijdk ’ 

-T 

Vk 

■’e K , 

(4.5 q) 

d&D J 

_ 




Vk'eK, 




(4.5r) 





(4.5s) 

V(/,y)e . 

4,d e 

:D,k' 

*K, 

(4.5t) 

V(/,y)e 

A, 



(4.5u) 

V(/,/) e A, d e 

D,k' 

eK, 

(4.5v) 

V(/,y)e 

A,d 

eD. 


(4.5w) 


Expressions (4.5p) and (4.5q) work together to form the outer decomposition 
master problem to minimize the cost of shortest paths with fixed attacks by the choice of 
defense and path variables. Equation (4.5q) shows the Lagrangian relaxation of the time 
budget constraint is also present in the outer master fonnulation, which regains the 
network structure of the formulation. Equation (4.5r) is similar to (4.2b), except that 
iteration subscripts “k” have been added to the path variables for each outer 
decomposition. Equation (4.5s) restates (4.2f). Equation (4.5t) is similar to (4.2c), but the 
addition of subscript “k” allows for different path variables for each iteration of outer 
decomposition. Equation (4.5u) restates (4.2f). Equation (4.5v) allows path variables to 
have continuous values, since the Lagrangian relaxation regains the network structure. 
Equation (4.5w) is unchanged from (4.2j). 

The new feature in the outer decomposition master problem is the Lagrangian 
relaxation of the time budget constraint into the iteration dependent objective equations 
(4.5q). Once again, the purpose of the relaxation is to reduce the number of binary 
variables that must be considered in the outer master problem. However, the effect of the 
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reduction is much more dramatic in the outer master problem because the path choice 
variables (Y) can be different in each iteration (k’) of outer decomposition. Lagrangian 
relaxation has its greatest effect in the outer master problem because the number of path 
choice variables (Y) is dependent upon the number of iterations (k’). 

Determination of the values of the Lagrange multiplier (pkO in the outer 
decomposition is not trivial. The outer decomposition features the defense binary 
decision variables (W) in the constraints alongside the Lagrange multiplier (p). 
Furthermore, the Lagrange multiplier (p) can have a different value for each iteration of 
outer decomposition, since the path choice variables (Y) can be different in each outer 
iteration (k’). The outer master formulation means that the value of the Lagrange 
multiplier (pkO depends upon both the choice of defense variables (W) as well as relaxed 
path choice variables(Y), which also vary during each outer decomposition iteration (k’). 

We employ a novel feature to solve the issue of determining the Lagrange 
multiplier (pk ) for each iteration of outer decomposition. We desire to avoid performing 
another round of Lagrangian relaxation iterations (L) to find the best value of the 
Lagrange multiplier for each round of DAD outer iterations (K’). We use the best value 
of the Lagrange multiplier from the inner decomposition (p*) as the only value of the 
Lagrange multiplier for the current iteration (k’) in the outer decomposition. The 
rationale behind this choice is that the Lagrange multiplier (p) serves as the amount of 
penalty that the objective function must incur for failing to adhere to the time budget 
constraint. The inner decomposition relaxation determined the best value for this penalty 
(p) when defense variables (W) were fixed and the attack variables (X) were optimized. 

The methodology for the updating of the outer decomposition upper and lower 
bounds is similar to the approach seen in Chapter I with the DAD minimum cost flow 
problem. Refer to Chapter I for the specifics of updating bounds. 

F. TWO HEURISTIC ALGORITHMS FOR DAD CSP 

In this section we utilize all of the mathematical models described in previous 
sections in order to create two related algorithms to quickly determine a reasonably good 
feasible defense (W), and establish a bound on the DAD CSP problem. The first 
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algorithm has the goal of obtaining valid upper and lower bounds on the DAD CSP 
problem instance and providing a good defense for the network that is not guaranteed to 
be optimal. We refer to the first algorithm as a bounding heuristic since its goal is to 
provide upper and lower bounds on a DAD CSP problem instance. The second algorithm 
has the goal of finding a valid lower bound and a good defense plan as fast as possible by 
ignoring the development of an upper bound. We refer to the second algorithm as a speed 
heuristic since its goal is to is to find a good defense plan and a lower bound as fast as 
possible. We use the term good defense plan because these heuristics have no guarantee 
of producing the optimal solution. We observe these heuristics could find the optimal 
solution for some instances, but they cannot guarantee optimality by themselves. 

Using these heuristic approaches as a stepping stone to obtain the optimal solution 
will be explored in the next section. We have also included a second part of a name to 
both of these algorithms as a nod to their eventual use with another technique in the next 
section. We call both of these heuristic approaches phase 1 algorithms because by 
themselves they do not guarantee the ability to converge on an optimal solution of 
defenses (W) for a network. Rather, the phase 1 algorithms provide a starting point to 
help find the optimal solution more quickly than the regular nested decomposition 
approach discussed previously. Phase 1 algorithms also provide a known defense that is 
associated with the DAD lower bound. Both phase 1 algorithms can be called a heuristic 
approach to the DAD CSP problem because there is no guarantee of optimality, nor is 
there any guarantee on the solution quality that is obtained. However, these phase 1 
algorithms both obtain at least one bound on a solution much faster than it would take to 
solve the DAD CSP problem via the regular nested decomposition approach. 

1. DAD CSP Phase 1 Bounding Heuristic Algorithm 

The phase 1 bounding heuristic algorithm incorporates all of the mathematical 
models shown in the previous sections. The Lagrange Variable dual ILP problem is used 
to produce an initial attack (X) that serves as a smart starting point for the inner 
decomposition AD sub problem. Multi-cuts are used from path enumeration to give 
multiple feasible attack cuts to the AD master problem. There are two nested loops in the 
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algorithm which represent the outer and inner decompositions of the DAD CSP problem 
instance. 


Since our heuristic algorithm uses Lagrangian relaxation, there is no guarantee of 
convergence on an optimal solution. We introduce a stopping criterion for our heuristic 
algorithm to terminate whenever it repeats a defense (W) that it had found in a previous 
iteration. In our tests, we limit the number of outer iterations of the phase 1 algorithm at 
199. We observe the algorithm always terminates because the defense plan is repeated 
twice before reaching 199 iterations. 

DAD CSP Phase 1 Bounding Heuristic Algorithm: 

Inputs: 

Network data with defense, attack, and time budgets 
Iteration limits for DAD (outer) and AD (inner) decomposition 
Optimality tolerances for all models (usually zero) 

Outputs: 

DAD Upper & Lower Bounds, best known defense (W*) and attack (X2*). 

Algorithm: 

While DAD Upper bound - DAD Lower Bound > tolerance & DAD iteration < limit: 
Solve AD CSP Lagrange Variable dual ILP 
Obtain initial attack (X) and Lagrange multiplier (p) 

While AD Upper Bound - AD Lower Bound > tolerance & AD iteration < limit: 
Solve AD CSP with Lagrangian relaxation inner sub problem 
Obtain Lagrangian upper and lower bounds and best multiplier (p) 

If Lagrangian relaxation bounds match: 

Obtain shortest path (Y) & associated cost 

Else: 

Perform Recursive Path Enumeration Algorithm 
Obtain all feasible paths (Y) & shortest path cost 
If shortest path cost > AD (inner) Lower bound: 

Update AD (inner) lower bound 

Save associated attack (X) as best known attack (X*) 

Save associated Lagrange multiplier (p) as best multiplier (p*) 

Solve CSP Inner Decomposition AD Master Problem 
Obtain attack plan (X) and associated cost 
Update AD (inner) upper bound if associated cost decreases 
Increment inner decomposition iteration counter 
Update DAD (outer) Upper Bound with AD (inner) Upper Bound, if it is smaller 
Solve DAD CSP Lagrangian Relaxation outer master 
If outer objective function value > DAD master lower bound: 

Update DAD master lower bound 

Record values of defense variables as best defense (W*). 
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Save attack associated with this defense as (X2*) 

Increment DAD iteration counter 

If current defense (W) matches a defense from a previous outer iteration: 

Exit outer while loop 

In our testing of the phase 1 bounding algorithm, we limit the maximum value of 
inner decomposition iterations to one. We observe that limiting the inner decomposition 
to one iteration step has a positive benefit at the expense of a small degradation in 
precision. We can simplify the phase 1 bounding algorithm to obtain upper and lower 
bounds more quickly by limiting the AD inner decomposition to just one iteration. But, 
the bounds obtained from just one inner decomposition iteration may be less precise than 
if more iterations were performed. The one round of AD inner decomposition allows for 
all of the steps of the algorithm to be completed. The shortcoming of using only one 
iteration of inner decomposition is that the optimal attack (X) may not be found. 
However, we believe that the tradeoff of weaker bounds in this algorithm is justified by 
the increase in solution speed, since only one iteration of inner decomposition is 
performed for each iteration of outer decomposition. The phase 1 bound algorithm is a 
heuristic, so performing more than one iteration of inner decomposition may not have 
much benefit for the extra effort required in additional inner decomposition iterations. A 
secondary benefit of only having one iteration of inner decomposition is that we do not 
need to further complicate our algorithm by checking for repeated paths. 

Proposition 4-2. The phase 1 bounding heuristic algorithm produces valid upper and 
lower bounds for a DAD CSP problem instance. 

Proof of Proposition 4-2. The heuristic approach contains all of the constraint 
equations that appear in the original DAD CSP problem, except for the time constraint, 
which has been relaxed to the objective function. The time constraint only effects the 
choice of path variables (Y), as seen in Equation (4. lg). Each set of attack variable values 
(X) obtained in the heuristic are feasible attacks because they must obey the attack 
constraints of the original DAD CSP problem. Each set of defense variable values (W) 
obtained in the heuristic are feasible defenses because they must obey the defense 
constraints of the original DAD problem. Our heuristic approach is not concerned with 
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the values of the path variables (Y), so we need not worry if the values obtained for them 
via relaxation are feasible. Ahuja et al. prove via weak duality that for any value of the 
Lagrange multiplier (p), the value of the Lagrangian function “is a lower bound on the 
optimal objective function value of the original optimization problem” (1993, p. 605). 
Our use of the same Lagrange multiplier value from the inner decomposition to the outer 
master problem produces the same effect of creating a valid lower bound on the overall 
DAD CSP problem. The phase 1 boundary algorithm also produces a valid upper bound. 
Since the phase 1 bound algorithm always includes at least one iteration of Lagrangian 
relaxation and path enumeration of the inner sub problem, we are guaranteed that the 
output of the inner sub problem is a feasible path (Y) for the original problem instance. 
The inner upper bound is computed by taking the best feasible path (Y) and the optimized 
attack (X) for a fixed defense (W). The inner upper bound is simply transferred to the 
outer decomposition as its upper bound if it is an improvement. Thus, the upper bound 
calculation is feasible solution to the original problem instance and therefore it is valid. 
Therefore, our use of Lagrangian relaxation in the phase 1 bound algorithm is guaranteed 
to produce valid upper and lower bounds on the original DAD CSP problem instance. 

2. DAD CSP Phase 1 Speed Heuristic Algorithm 

The phase 1 speed heuristic algorithm is a simplification of the phase 1 bounding 
heuristic algorithm. The speed improvement is centered on the question of the usefulness 
of the DAD CSP upper bound. Certainly, situations exist where feasible upper bounds are 
informative. But, when considering that the heuristic algorithm can be an incremental 
step toward obtaining the optimal solution within a larger algorithm, the importance of a 
valid upper bound is diminished. Since the optimal solution may be obtained after this 
incremental step, the importance of having a valid upper bound is diminished. A second, 
but less powerful concept against the importance of an upper bound is to consider the 
idea of a heuristic. The purpose of the heuristic is to obtain a good feasible solution to the 
original problem. The heuristic solution does not need to be optimal, but other qualities 
make a potentially suboptimal heuristic solution attractive. In this case, obtaining a 
feasible good suboptimal solution quickly to a DAD CSP problem is quite attractive. 
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We can modify the phase 1 bounding heuristic algorithm to be faster if we 
examine the inner decomposition to eliminate some of the calculations. The purpose of 
the inner decomposition is to determine a worst-case attack (X) as an input to the outer 
master problem. Consider that the phase 1 bounding heuristic algorithm obtains the 
worst-case attack (X) in general terms by performing three tasks. First, the phase 1 
bounding algorithm uses the Lagrange variable problem to create a good guess initial 
attack to start the decomposition. The second task performs Lagrangian relaxation and 
path enumeration to find the shortest feasible path and an inner upper bound. The third 
task finds the worst-case attack and updates the inner lower bound. If we eliminate the 
second and third tasks from the inner decomposition, we can simplify the inner 
decomposition to just one task. Eliminating these two tasks is possible because the first 
task provides a reasonably good feasible attack (X) as inputs to the DAD outer master. 
The second and third tasks serve to ensure feasibility of a path based on that attack and 
calculate valid bounds. The third task may also find a better attack than the attack 
obtained by the Lagrange variable dual ILP, but it is not guaranteed. Elimination of the 
second and third tasks reduces the number of required calculations, which improves 
solution speed. 

Elimination of the second and third major tasks from inner decomposition does 
have negative aspects. The only task remaining in inner decomposition is the Lagrange 
variable dual ILP problem, which can create an attack that is based on dual variables 
associated with an infeasible path. The eliminated task of Lagrangian relaxation with path 
enumeration ensures that a feasible path is found for the attack. Without a feasible path 
that is obtained with path enumeration, a feasible inner upper bound cannot be computed. 
The importance of the inner upper bound is that it is feasible solution to the original 
problem for a fixed defense (W). Therefore, the inner upper bound can be carried over as 
an upper bound on the overall DAD CSP problem instance. 

DAD CSP Phase 1 Speed Heuristic Algorithm: 

Inputs: 

CSP Network; defense, attack, and time budgets 

Iteration limits for DAD (outer) and AD (inner) decomposition 

Optimality tolerances for all models 
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Outputs: 

DAD Lower Bound, best known defense (W*), associated attack (X2*). 

Algorithm: 

While DAD Upper bound - DAD Lower Bound > tolerance & iteration < max value: 
Solve AD CSP Lagrange Variable dual ILP 

Obtain attack (X) and Lagrange multiplier (p) 

Solve DAD CSP with Lagrangian relaxation outer master 
Obtain and record values of defense variables (W) 

Obtain outer objective function value 

If outer objective function value > DAD master lower bound: 

Update DAD master lower bound 

Record values of defense variables as best defense (W*) 

Save attack associated with this defense as (X2*) 

If current defense (W) matches a defense from a previous outer iteration: 

Exit while loop 


G. EXTENDING THE HEURISTIC TO OBTAIN PROVABLY OPTIMAL 

SOLUTIONS 

The phase 1 bounding heuristic algorithm in the previous section allows us to 
quickly obtain valid upper and lower bounds on the DAD CSP problem instance. The 
phase 1 speed heuristic quickly finds a lower bound, but no upper bound is provided. The 
shortcoming of both of these approaches is that phase 1 algorithms do not normally find 
the optimal solution to the DAD CSP problem. In this section, we use the results of the 
phase 1 heuristic as input to another algorithm to obtain the proven optimal solution to 
the DAD CSP problem. We call this algorithm the phase 2 optimality algorithm because 
it couples with one of the phase 1 algorithms from the previous section to produce an 
optimal solution to a DAD CSP problem instance. As the names imply, the combination 
of the phase 1 speed algorithm with the phase 2 optimality algorithm can find the optimal 
solution to a DAD CSP problem instance the quickest. 

Simply stated, the phase 2 optimality algorithm is the regular nested 
decomposition discussed earlier in the chapter with two types of intelligent starting inputs 
which save time and iterations. First, regular nested decomposition begins the inner AD 
subproblem with no defense chosen as the initial fixed defense. We choose a smarter 
starting point that uses the best known defense (W*) from the phase 1 defense as a 
starting point. We also include the attack associated with that best known defense as a 
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starting point for the inner AD subproblem. These smart inputs allow the first iteration of 
inner decomposition to benefit from the information that was learned by either phase 1 
algorithm. Second, we observe regular nested decomposition starts with no information 
to build the outer master decomposition constraints. The phase 1 attack inputs to the 
phase 2 algorithm are called cuts because they act as constraints that trim portions of the 
outer master problem feasible region. Regular nested decomposition is completely 
dependent upon the results of inner decomposition to find a best attack to serve as a 
constraint for the outer master problem. The intelligent improvement is to use some or all 
of the best attacks found in each outer iteration of the phase 1 algorithms as input cuts to 
the phase 2 regular outer decomposition master problem. 

The amount of phase 1 attack cuts supplied to the phase 2 algorithm is a choice 
for an analyst to make that is based on the characteristics of the network. Selecting all 
phase 1 attack cuts as inputs to the phase 2 outer master problem makes intuitive sense. 
All of the phase 1 attack cuts would create the most number of constraints that could trim 
the feasible region of the outer master problem. But, using all attack cuts as constraints 
for the outer master problem also has a significant drawback. The outer master problem is 
essentially a large binary linear program since both the defense variables (W) and path 
choice variables (Y) are binary. Each additional attack that is added as a constraint to the 
outer master problem will require another set of binary path variables (Y), because these 
variables have the outer iteration (K’) as a subscript. A larger amount of binary variables 
can make the outer master problem more difficult to solve. Refer to (4.3m) and (4.3n) in 
the beginning of the chapter to see the iteration subscript on the path variables (Y) in the 
outer master problem. On the other hand, the analyst can choose to only pass a small 
number of phase 1 attack cuts to the phase 2 outer master problem. For example, the 
analyst could send only the two most recent cuts from the phase 1 problem. Sending a 
small number of attacks avoids the problem of a large binary linear program, but fewer 
input cuts results in less opportunity to trim portions of the outer master feasible region. 

Through trial and error, we have two recommendations for the number of attack 
cuts to send from the phase 1 algorithm to the phase 2 outer master problem. When the 
network size is small or medium size, we include all of the phase 1 attacks as input cuts 

172 



to the phase 2 outer master problem. Our small and medium size test networks do not 
suffer tremendously from the problem of creating a very large amount of binary variables 
in the outer master problem when all of the phase 1 attacks are supplied as input cuts to 
phase 2. However, we recommend the opposite for very large networks. We find that the 
usage of the final two best attacks from the phase 1 algorithm are a good choice for input 
cuts to the phase 2 outer master problem for very large networks. This improvement 
gives the outer master some initial cuts to the feasible region of possible defense and path 
choices, while not creating too many binary variables overall. If all attack cuts are sent as 
inputs to the phase 2 outer master problem for very large networks, we observe that the 
speed of convergence is slowed down as the solver attempts branch and bound for a very 
large amount of binary variables. The real-world network example shows how the use of 
only two cuts from the phase 1 algorithm can be advantageous to the phase 2 algorithm. 

DAD CSP Phase 2 OPTIMALITY Algorithm: 

Inputs: 

Complete DAD CSP Phase 1 algorithm (either speed or bounding). 

Best defense (W*) and associated attack (X2*), number of iterations perfonned 
Choose a number of Phase 1 attack (X*) to utilize as cuts 
Optimality tolerances for regular nested decomposition of DAD CSP 

Outputs: 

Best defense plan (W*), attack plan (X*), and shortest path (Y) 

DAD outer upper & lower bounds 

Algorithm: 

Use Phase 1 information to begin regular nested decomposition of DAD CSP: 

Best defense (W*) and associated attack (X2*) is start point for first inner 
iteration AD inner decomposition sub problem 
For each best attack (X*) do: 

Create outer decomposition cut for the DAD outer master problem 
Set DAD outer decomposition counter to Phase 1 iteration number 


Proposition 4-3. Outer decomposition cuts from a Phase 1 heuristic are valid, feasible 
inputs to the regular nested decomposition of the Phase 2 optimality algorithm. 

Proof of Proposition 4-3. Both Phase 1 heuristics create attacks (X), and a best 
known defense (W*) that may be suboptimal. It is possible that a path (Y) obtained from 
the Lagrange variable problem may be infeasible, but the infeasibility is only limited to 
the path (Y) variables. The selection of attack variables (X) must obey the attack budget 
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constraint (4.2d), which is not relaxed. Therefore, the attack (X) from either Phase 1 
heuristic algorithm is feasible in terms of the original problem instance. The best known 
defense (W*) is always a feasible defense, even though it is obtained through a 
Lagrangian relaxation of the outer master in both Phase 1 algorithms. The best defense 
(W*) is always feasible because it must obey the defense budget constraint of (4.2e), 
which is not relaxed. Therefore, both the attacks (X) and best defense (W*) are feasible 
inputs to the regular nested decomposition of the phase 2 optimality algorithm. 

Proposition 4-4. DAD CSP Phase 2 algorithm obtains the optimal solution to the DAD 
CSP problem. 

Proof of Proposition 4-4. The Phase 2 optimality algorithm is nothing more than 
regular nested decomposition with the introduction of different starting points. Since 
regular nested decomposition does find optimal solutions, starting the algorithm from any 
other point in the feasible region will also lead to the optimal solution. Corner points of 
the feasible region are created as the cuts to the inner and outer master problems are 
added. The use of the phase 1 problem to start the phase 2 outer decomposition problem 
with more than zero feasible cuts to the feasible region does not affect the ability to reach 
the optimal corner point. Since each cut obtained in either phase 1 or phase 2 algorithms 
are feasible cuts, the optimal solution is never excluded from the feasible region. When 
the outer upper and lower bounds match, the optimal solution has been found. 

H. RESULTS ON ARTIFICIAL TEST NETWORK 

In this section we show the results on the 50 node grid network. We show the 
results of the phase 1 bounding algorithm to see how close its bounds can come to the 
optimal solution found in phase 2 optimality algorithm. We also show the results of the 
phase 1 speed algorithm combined with the phase 2 optimality algorithm in comparison 
to regular nested decomposition by itself in order to judge if our new algorithms improve 
the ability to obtain the optimal solution to a DAD problem instance more quickly. For 
the 50 node grid test network, we require all of our algorithms to converge on the optimal 
solution. We set all optimality tolerances for the 50 node grid test network to zero. 
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In order to understand how to interpret the result of a DAD CSP instance on the 
50 node test network, we discuss the results for one budget scenario and the solution 
performance. Consider a DAD CSP problem instance on the 50 node grid network with 
defense and attack budgets of 5 units and a time budget of 40 units. The optimal defense, 
worst-case attack, and resulting shortest cost path as calculated by the regular nested 
decomposition approach are shown graphically in Figure 50 and summarized in Table 32. 
In Figure 50, the defended arcs are shown in blue dashed lines, the attacked arcs are 
shown with a red “X,” and the shortest path is shown as solid green lines. The shortest 
path cost is 27 units. The optimal solution is obtained via regular nested decomposition in 
437.7 seconds. It is also possible that the optimal cost of 27 units could also be found 
through an equivalent optimal solution with different defenses, attacks, and shortest path. 


Table 32. Optimal Defense, Attack and Shortest Path for DAD CSP Example 


Defense Budget = 5 
Attack Budget = 5 
Time Budget = 40 

50 Node Grid Test Network — Arcs Selected 
Regular Nested Decomposition Method 

Optimal Defenses 

(1, 26) (26, 35) (28, 21) (33, 50) (35,28) 

Worst-case Attacks 

(15, 8) (23, 24) (26, 27) (32, 33) (40, 33) 

Shortest Path 

(1, 26) (15, 24) (22, 15) (24, 33) (26, 35) (28, 
29) (29, 22) (33, 50) (35, 28) 

Shortest Path Cost 

27 units 

Time to Solve 

437.7 seconds 
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Figure 50. Optimal Defense, Attack and Shortest Path for DAD CSP Example 

We observe the optimal defense protects the first few segments of the shortest 
path, along with the final segment. The worst-case attack appears to favor attacking many 
of the approaches to the final segment of the path. The worst-case attack also cuts off a 
low-cost arc at the beginning of the network, since arc (26, 27) has a cost of two units. 

The results shown in Figure 50 can also be interpreted through the lens of game 
theory as the outcome of a sequential game. In this view, the defender acts first, the 
attacker acts second, and the defender acts third. First, the defender chooses to defend as 
much of the low cost path as possible, choosing the first four segments from the start 
node and the last segment connected to the terminal node. Second, the attacker uses most 
of his attacks to interdict many of the undefended approaches toward the last defended 
arc. The attacker chooses to penalize four of the paths to the tenninal node, but he cannot 
attack them all. Since all of the paths cannot be attacked, he uses his last attack to cut off 
another low cost path near the beginning of the network by attacking arc (26, 27). Lastly, 
the defender (or operator) of the network must choose the shortest cost path that is 
available after the defenses and attacks have occurred. The defender (or operator) 
chooses the first three defended arcs as part of the shortest path, but the downstream 
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attacks in the network force him or her to abandon the fourth defended arc (28, 21). The 
downstream attacks make utilizing this defended arc no longer attractive in terms of cost. 
The defender then chooses undefended and unattacked arcs that provide the shortest path 
to get him or her to the final defended arc and the terminal node of the network. 

We do not report results whenever the defense budget or attack budget is zero 
units. We observe that the phase 1 speed and phase 2 optimality algorithms work more 
slowly than regular nested decomposition whenever a defense or attack budget is zero 
units. Simplifying the problem to zero units in either the defense or attack budget changes 
the nature of the problem to something other than a DAD problem. An attack budget of 
zero units reduces the problem to a defender-defender (DD) problem, which is also 
known as the network design problem. Network design problems use other solution 
techniques that are well studied in the literature (Magnanti & Wong, 1984). A defense 
budget of zero units reduces the problem to an attacker - defender (AD) problem, which 
is the well-studied network interdiction problem, as previously discussed in the 
introduction. The network interdiction problem only requires one layer of decomposition 
to obtain a solution. Both of these zero budget cases are not our concern, since other 
existing procedures in the literature are tailored for these scenarios. 

The next two subsections display the results obtained from both the phase 1 
bounding algorithm and the phase 1 speed algorithm coupled with the phase 2 optimality 
algorithm for the 50 node grid network. The first subsection shows how quickly the phase 
1 bounding algorithm can find usable bounds and defenses that are reasonably close to 
optimal. We also report when the phase 1 defense is also the optimal solution. The 
second subsection compares how quickly the optimal solution can be found for regular 
nested decomposition vs. the combination of the phase 1 speed and phase 2 optimality 
algorithms. We use two different methods to measure the effort it takes to obtain the 
optimal solution. Our results demonstrate that the combination of the phase 1 speed and 
phase 2 optimality algorithms obtain the same value for the optimal solution much faster 
than the regular nested decomposition approach. 
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1. Results for Combination of the Bounding and Optimality Algorithms 

Table 33 compiles the results of the phase 1 bounding algorithm combined with 

the phase 2 optimality algorithm for defense and attack budget scenarios varying between 

one and seven units on the 50 node test network. We present the upper and lower bounds 

found with the Phase 1 bounding algorithm. We show the Phase 2 optimal solution value 

to verify that the optimal solution was found. We show the time it took the phase 2 

optimality algorithm to obtain the solution based on the input it received from the Phase 1 

bounding algorithm. We show the gap between the phase 1 lower bound and the optimal 

solution that was obtained in phase 2 to give an idea about the solution performance of 

the phase 1 bounding algorithm. We have shaded entries in this column green that have a 

gap within 10% of the optimal solution, yellow for gaps between 10%—25% and red for 

optimality gaps greater than 25%. The calculation of the optimality gap between the 

phase 1 lower bound and the optimal solution given in Equation (4.6a). Lastly, we have a 

column to indicate if the phase 1 bounding algorithm was able to find the optimal 

defense. We color code yes and no answers in the last column. 

_ . . /n/N Optimal Solution - Phase 1 Lower Bound 

Solution gap (%) = —-x 100% 

Phase 1 Lower Bound (a ( Y a \ 


178 



Table 33. Upper and Lower Bounds from Phase 1 Bounding Heuristic 


Defense 

Budget 

Attack 

Budget 

Phase 1 

Solution 

(seconds) 

Phase 2 
Solution 
(seconds) 

Phase 1 
Upper 
Bound 

Phase 1 
Lower 
Bound 

Phase 2 
Optimal 
Solution 

Phase 1 Bound 
vs. optimal gap 

Phase 1 defense 
optimal? 

1 

1 

9.3 

5.7 

47 

19.49 

22 

12.9% 

NO 

1 

2 

10.8 

10.5 

76 

21 

25 

19.0% 

NO 

1 

3 

12.4 

14.7 

60 

24.93 

30 

20.3% 

YES 

1 

4 

23.7 

37.7 

60 

21.4 

34 

58.9% 

NO 

1 

5 

32 

20.3 

60 

32.92 

35 

6.3% 

YES 

1 

6 

18.1 

24.7 

97 

42.16 

43 

2.0% 

YES 

1 

7 

9 

37.7 

195 

45 

45 

0.0% 

YES 

2 

1 

17 

5.3 

45 

19.49 

20 

2.6% 

NO 

2 

2 

11.9 

13.4 

72 

21 

23 

9.5% 

NO 

2 

3 

13.5 

19.2 

60 

24.93 

27 

8.3% 

NO 

2 

4 

29.4 

87.2 

41 

21.4 

32 

49.5% 

NO 

2 

5 

41.3 

81.3 

40 

30.4 

33 

8.6% 

NO 

2 

6 

21.4 

51.9 

86 

31.94 

36 

12.7% 

YES 

2 

7 

19.1 

100.5 

54 

29.05 

39 

34.3% 

YES 

3 

1 

19.1 

5.4 

45 

19.49 

20 

2.6% 

NO 

3 

2 

25 

23.8 

72 

21 

23 

9.5% 

NO 

3 

3 

32.4 

12.2 

53 

24.21 

26 

7.4% 

NO 

3 

4 

61.9 

50 

35 

26.32 

29 

10.2% 

NO 

3 

5 

55.7 

102.5 

35 

28.16 

32 

13.6% 

NO 

3 

6 

35.1 

52.4 

85 

31.1 

34 

9.3% 

YES 

3 

7 

89.4 

231.1 

54 

33.01 

37 

12.1% 

NO 

4 

1 

16.4 

3.6 

45 

19.16 

20 

4.4% 

YES 
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Defense 

Budget 

Attack 

Budget 

Phase 1 

Solution 

(seconds) 

Phase 2 
Solution 
(seconds) 

Phase 1 
Upper 
Bound 

Phase 1 
Lower 
Bound 

Phase 2 
Optimal 
Solution 

Phase 1 Bound 
vs. optimal gap 

Phase 1 defense 
optimal? 

4 

2 

22.3 

25.8 

72 

21 

22 

4.8% 

NO 

4 

3 

22.5 

31 

53 

17 

23 

35.3% 

NO 

4 

4 

40.8 

18 

56 

19.28 

26 

34.9% 

YES 

4 

5 

74.7 

358.9 

40 

25.6 

31 

21.1% 

YES 

4 

6 

70.5 

108.5 

61 

28.16 

33 

17.2% 

YES 

4 

7 

145.1 

1451.7 

51 

33 

34 

3.0% 

YES 

5 

1 

21.4 

4.1 

45 

19.16 

20 

4.4% 

YES 

5 

2 

27.7 

18 

72 

20 

22 

10.0% 

NO 

5 

3 

40.5 

16.7 

53 

21.29 

22 

3.3% 

NO 

5 

4 

100.2 

61.4 

41 

23.67 

25 

5.6% 

NO 

5 

5 

138.4 

271.9 

45 

25.6 

27 

5.5% 

NO 

5 

6 

141.7 

354.7 

60 

28 

29 

3.6% 

NO 

5 

7 

197.7 

1958.7 

54 

30.4 

33 

8.6% 

NO 

6 

1 

31.5 

4.5 

45 

19.16 

20 

4.4% 

YES 

6 

2 

29.6 

12.9 

72 

20 

22 

10.0% 

NO 

6 

3 

74.6 

20 

53 

21.29 

22 

3.3% 

NO 

6 

4 

47.8 

145 

56 

17.28 

23 

33.1% 

NO 

6 

5 

65.1 

299.7 

56 

23.67 

26 

9.8% 

YES 

6 

6 

88.5 

465.3 

60 

21.07 

27 

28.1% 

NO 

6 

7 

195.1 

34283 

54 

27.5 

31 

12.7% 

NO 

7 

1 

33.2 

4.5 

45 

17.87 

20 

11.9% 

YES 

7 

2 

21.5 

15.7 

47 

20 

21 

5.0% 

YES 

7 

3 

43.7 

10.7 

53 

20 

22 

10.0% 

NO 
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Defense 

Budget 

Attack 

Budget 

Phase 1 

Solution 

(seconds) 

Phase 2 
Solution 
(seconds) 

Phase 1 
Upper 
Bound 

Phase 1 
Lower 
Bound 

Phase 2 
Optimal 
Solution 

Phase 1 Bound 
vs. optimal gap 

Phase 1 defense 
optimal? 

7 

4 

121 

64.9 

33 

21.24 

23 

8.3% 

NO 

7 

5 

122.9 

91.3 

49 

23 

24 

4.3% 

NO 

7 

6 

445.6 

2360.6 

45 

25.12 

26 

3.5% 

NO 

7 

7 

354.3 

11184 

54 

25.6 

28 

9.4% 

NO 
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Table 33 shows that the phase 1 bounding algorithm is able to obtain valid upper 
and lower bounds on the DAD CSP problem instance quickly. It only takes the algorithm 
a few minutes to obtain bounds that are almost always within 25% of the optimal 
solution, and more often than not within 10% of the optimal solution. We observe that it 
can take considerably more time for phase 2 to prove the optimality of the solution to the 
original problem instance. The final column of the table shows that about half of the time, 
our phase 1 bounding algorithm finds the optimal defense. Recall that the phase 1 
bounding algorithm is not guaranteed to find the optimal defense for a DAD CSP 
problem instance because it is a heuristic without a performance guarantee. The final 
column shows that it is possible that the optimal solution might be found by the phase 1 
bounding algorithm. While optimal solution speed is not the goal of the phase 1 bounding 
and phase 2 optimal solution algorithm, this approach does have a solution speed that is 
comparable with regular nested decomposition. 

2. Speed and Optimality Algorithms vs. Regular Decomposition 

Table 34 provides the details of the speed comparison of the phase 1 speed 
algorithm coupled with the phase 2 optimality algorithm vs. the regular nested 
decomposition algorithm in system of Equations (4.3). The final column of Table 34 
gives the relative perfonnance percentage change between the phase 1 and 2 algorithms 
and regular nested decomposition. The final column entries are shaded green whenever 
the relative performance percentage is positive and shaded red when the relative 
performance percentage is negative. The calculation of the relative performance between 
the two algorithms is given in Equation (4.6b). 

„ , . . .... Nested Solution Time - (Phase 1+2 Solution Time) 

Relative change (%) = -x 100% 

(Phase 1+2 Solution Time) t* ^1-0 
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Table 34. Solution Times for Phase 1 and 2 vs. Nested Decomposition 


Defense 

Budget 

Attack 

Budget 

Phase 1 

Solution 

(seconds) 

Phase 2 
Solution 
(seconds) 

Phase 1+2 
Solution 
(seconds) 

Regular 

Solution 

(seconds) 

Phase 1+2 
Relative 
Change (%) 

1 

1 

2.0 

5.2 

7.2 

7.6 

5% 

1 

2 

3.2 

5.8 

8.9 

12.9 

44% 

1 

3 

3.2 

8.4 

11.6 

20.4 

76% 

1 

4 

3.7 

11.3 

15.0 

52.7 

251% 

1 

5 

6.0 

18.6 

24.5 

76.4 

212% 

1 

6 

4.4 

26.9 

31.3 

105.7 

238% 

1 

7 

6.1 

37.7 

43.8 

143.2 

227% 

2 

1 

3.0 

3.0 

6.0 

11.2 

87% 

2 

2 

4.2 

14.3 

18.5 

20.3 

10% 

2 

3 

4.4 

26.2 

30.6 

28.8 

-6% 

2 

4 

12.0 

14.6 

26.5 

121.9 

360% 

2 

5 

10.7 

59.9 

70.6 

121.1 

72% 

2 

6 

6.2 

51.3 

57.5 

170.4 

197% 

2 

7 

16.1 

70.2 

86.2 

224.8 

161% 

3 

1 

4.0 

3.3 

7.3 

11.9 

63% 

3 

2 

5.5 

14.3 

19.8 

29.4 

48% 

3 

3 

8.1 

7.2 

15.3 

34.4 

124% 

3 

4 

14.9 

27.9 

42.8 

121.7 

184% 

3 

5 

13.4 

95.6 

109.0 

251.3 

131% 

3 

6 

11.9 

52.1 

64.0 

199.2 

211% 

3 

7 

40.1 

348.0 

388.1 

467.0 

20% 

4 

1 

5.0 

3.7 

8.7 

13.7 

58% 

4 

2 

10.1 

25.3 

35.4 

35.2 

-1% 

4 

3 

6.7 

6.3 

13.0 

54.2 

316% 

4 

4 

15.1 

11.3 

26.5 

104.0 

293% 

4 

5 

28.0 

435.0 

462.9 

390.9 

-16% 

4 

6 

33.1 

79.2 

112.3 

626.3 

458% 

4 

7 

75.7 

1151.1 

1226.8 

742.4 

-39% 

5 

1 

6.1 

4.3 

10.4 

16.6 

60% 

5 

2 

10.0 

17.7 

27.7 

38.5 

39% 

5 

3 

15.0 

11.8 

26.9 

77.3 

188% 

5 

4 

15.0 

64.6 

79.6 

147.3 

85% 

5 

5 

35.7 

189.5 

225.1 

437.7 

94% 

5 

6 

63.5 

189.1 

252.6 

496.9 

97% 

5 

7 

125.5 

2522.2 

2647.7 

9845.6 

272% 

6 

1 

7.1 

4.3 

11.4 

20.3 

78% 
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Defense 

Budget 

Attack 

Budget 

Phase 1 

Solution 

(seconds) 

Phase 2 
Solution 
(seconds) 

Phase 1+2 
Solution 
(seconds) 

Regular 

Solution 

(seconds) 

Phase 1+2 
Relative 
Change (%) 

6 

2 

12.4 

9.9 

22.3 

57.5 

158% 

6 

3 

14.9 

16.2 

31.2 

62.3 

100% 

6 

4 

31.3 

20.9 

52.2 

140.3 

169% 

6 

5 

38.7 

339.5 

378.2 

490.3 

30% 

6 

6 

139.8 

337.8 

477.6 

990.1 

107% 

6 

7 

90.9 

24836.9 

24927.8 

19843.5 

-20% 

7 

1 

8.2 

4.5 

12.7 

21.2 

67% 

7 

2 

8.7 

15.4 

24.1 

56.1 

133% 

7 

3 

14.3 

12.8 

27.0 

75.6 

180% 

7 

4 

83.8 

49.4 

133.2 

342.3 

157% 

7 

5 

67.9 

207.5 

275.4 

836.1 

204% 

7 

6 

162.3 

648.6 

810.9 

2257.0 

178% 

7 

7 

1138.0 

1979.2 

3117.2 

10396.7 

234% 


Table 34 reveals that in almost all budget scenarios, the phase 1 speed and phase 2 
optimality algorithms are faster than regular nested decomposition. There are only 5 out 
of 49 budget scenarios where the phase 1 and 2 algorithms perform slower than nested 
decomposition. In these few scenarios, the phase 1 and 2 algorithm is just slightly slower 
than regular nested decomposition, with a result of 39% slower in the worst case. 

Recall that the objective of this chapter was to obtain an alternative solution 
methodology to regular nested decomposition of DAD CSP for large defense and attack 
budget scenarios that take a long time to obtain an optimal solution. The phase 1 speed 
and phase 2 optimality algorithms can be more than four times faster than regular nested 
decomposition! We frequently observe over 100% improvement in solution time. 

The results of Table 34 have been plotted in Figure 51 for an easy visual 
comparison of the relative performance improvements of the phase 1 speed and phase 2 
optimality algorithms in comparison to regular nested decomposition. The general 
contour of the three dimensional plot in Figure 51 appears to be rising as the defense and 
attack budgets increase. Figure 51 reinforces the notion that the phase 1 and 2 algorithms 
perform better than regular nested decomposition when the problem instance becomes 
more difficult to solve because of increasing defense and attack budgets. 
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Phase 1 & 2 vs. Nested Decomposition 
Solution Time Relative Performance 


50 Node Test Network 


*** Phase 1 & 2 



Figure 51. Relative Comparison of Solution Speed on 50 Node Test Network 


A shortcoming of measuring time is the computing notion of wall clock time. 
Wall clock time is a combination of CPU time, input/output time and communication 
time in a computer. Wall clock time may be affected by other processes in the computer 
or by network issues. The use of wall clock time is the only way to measure the 
performance of nested decomposition in GAMS software. GAMS refers to each mixed 
integer program that it solves as a model. GAMS can measure the total wall clock time 
when it loads, builds, and solves a model. The ability to only measure CPU time in the 
GAMS software is limited to the actual solution time of a model (McCarl, 2015). Our 
DAD CSP algorithm implementation in GAMS code uses up to seven different models to 
solve a single CSP DAD problem instance in nested loops. In the phase 1 speed 


185 






























algorithm, there are two models that work back and forth in a while loop. The AD dual 
ILP problem is a model and the DAD master is a model, both of which are called 
multiple times to establish a heuristic defense and lower bound. In the phase 2 optimality 
algorithm of the CSP DAD problem, there are five different models that work together to 
prove the optimal solution. The AD sub problem is a model, the AD sub problem with 
SEC is a model, the AD master is a model, the AD master with SEC is a model and the 
DAD master is a model. All of these five models in the phase 2 optimality algorithm are 
called multiple times in nested while loops in order to find the optimal solution to one 
DAD CSP problem instance. Thus, models are built many times and solvers are called 
over and over to for each problem instance. 

An alternative way to measure the solution speed between the algorithms is to 
look at the number of iterations that it takes to find a solution. This view is advantageous 
because it is independent of the type of computer that is performing the computations. 
The phase 1 speed algorithm only has one iteration of the Lagrange variable dual ILP and 
the DAD outer master problem with Lagrangian relaxation for outer decomposition. The 
AD inner decomposition is eliminated by the use of the Lagrange variable dual ILP. This 
change is at the heart of why the phase 1 speed algorithm is able to provide an 
improvement in the amount of effort required to find a solution to a DAD CSP problem 
instance. The Phase 2 optimality algorithm, which is just regular nested decomposition 
has inner decomposition iterations for each outer decomposition iteration. Table 35 
shows the difference in outer decomposition iterations between the phase 1 speed and 
phase 2 optimality algorithms vs. regular nested decomposition. Recall that regular 
decomposition refers to solving the DAD CSP problem instance with system of 
Equations (4.3). Problem instance scenarios with a defense or attack budget of zero units 
are not displayed. Equation (4.6c) is how the relative difference in the number of total 
iterations between the two approaches is computed. 

Iteration Relative Differenee (%) = R eg ular Iterations - (Phase 1+2 Iterations) x 1Q0% 

(Phase 1+2 Iterations) (a ^ 
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Table 35. Iteration Comparison of Phase 1 and 2 vs. Nested Decomposition 


Defense 

Budget 

Attack 

Budget 

Phase 1 
“Speed” 
Iteration 

Phase 2 
Outer 
Iteration 

Phase 2 
Inner 
Iteration 

Phase 

1+2 

Total 

Iterations 

Regular 

Outer 

Iteration 

Regular 

Inner 

Iteration 

Regular 

Total 

Iterations 

Iteration 

Relative 

Difference 

1 

1 

2 

2 

9 

13 

2 

10 

12 

-8% 

1 

2 

3 

1 

10 

14 

2 

18 

20 

43% 

1 

3 

3 

1 

15 

19 

2 

28 

30 

58% 

1 

4 

3 

1 

21 

25 

3 

71 

74 

196% 

1 

5 

4 

1 

35 

40 

3 

104 

107 

168% 

1 

6 

3 

1 

51 

55 

3 

139 

142 

158% 

1 

7 

3 

1 

65 

69 

3 

175 

178 

158% 

2 

1 

3 

1 

4 

8 

3 

14 

17 

113% 

2 

2 

4 

3 

25 

32 

3 

27 

30 

-6% 

2 

3 

4 

4 

50 

58 

3 

40 

43 

-26% 

2 

4 

9 

1 

22 

32 

7 

164 

171 

434% 

2 

5 

6 

4 

118 

128 

5 

164 

169 

32% 

2 

6 

3 

2 

98 

103 

5 

224 

229 

122% 

2 

7 

4 

2 

109 

115 

5 

270 

275 

139% 

3 

1 

4 

1 

4 

9 

4 

18 

22 

144% 

3 

2 

5 

3 

23 

31 

5 

44 

49 

58% 

3 

3 

7 

1 

12 

20 

4 

52 

56 

180% 

3 

4 

11 

2 

37 

50 

9 

180 

189 

278% 

3 

5 

8 

4 

117 

129 

12 

352 

364 

182% 

3 

6 

5 

2 

89 

96 

7 

297 

304 

217% 

3 

7 

9 

6 

326 

341 

11 

579 

590 

73% 

4 

1 

5 

1 

4 

10 

5 

21 

26 

160% 
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Defense 

Budget 

Attack 

Budget 

Phase 1 
“Speed” 
Iteration 

Phase 2 
Outer 
Iteration 

Phase 2 
Inner 
Iteration 

Phase 

1+2 

Total 

Iterations 

Regular 

Outer 

Iteration 

Regular 

Inner 

Iteration 

Regular 

Total 

Iterations 

Iteration 

Relative 

Difference 

4 

2 

9 

5 

38 

52 

6 

52 

58 

12% 

4 

3 

6 

1 

9 

16 

7 

78 

85 

431% 

4 

4 

11 

1 

13 

25 

8 

151 

159 

536% 

4 

5 

15 

4 

106 

125 

15 

403 

418 

234% 

4 

6 

12 

2 

70 

84 

16 

641 

657 

682% 

4 

7 

18 

7 

357 

382 

17 

918 

935 

145% 

5 

1 

6 

1 

4 

11 

6 

24 

30 

173% 

5 

2 

9 

4 

25 

38 

7 

55 

62 

63% 

5 

3 

12 

2 

16 

30 

11 

106 

117 

290% 

5 

4 

11 

4 

58 

73 

11 

192 

203 

178% 

5 

5 

17 

4 

84 

105 

17 

405 

422 

302% 

5 

6 

21 

3 

90 

114 

16 

552 

568 

398% 

5 

7 

24 

3 

155 

182 

25 

1118 

1143 

528% 

6 

1 

7 

1 

4 

12 

7 

27 

34 

183% 

6 

2 

11 

2 

11 

24 

11 

78 

89 

271% 

6 

3 

12 

3 

20 

35 

8 

88 

96 

174% 

6 

4 

18 

1 

9 

28 

10 

167 

177 

532% 

6 

5 

18 

6 

102 

126 

15 

302 

317 

152% 

6 

6 

29 

3 

76 

108 

21 

623 

644 

496% 

6 

7 

20 

19 

737 

776 

30 

1249 

1279 

65% 

7 

1 

8 

1 

3 

12 

8 

29 

37 

208% 

7 

2 

8 

4 

17 

29 

12 

68 

80 

176% 

7 

3 

11 

2 

13 

26 

12 

99 

111 

327% 

7 

4 

26 

1 

9 

36 

18 

233 

251 

597% 
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Defense 

Budget 

Attack 

Budget 

Phase 1 
“Speed” 
Iteration 

Phase 2 
Outer 
Iteration 

Phase 2 
Inner 
Iteration 

Phase 

1+2 

Total 

Iterations 

Regular 

Outer 

Iteration 

Regular 

Inner 

Iteration 

Regular 

Total 

Iterations 

Iteration 

Relative 

Difference 

7 

5 

22 

2 

24 

48 

24 

409 

433 

802% 

7 

6 

29 

2 

43 

74 

26 

678 

704 

851% 

7 

7 

33 

4 

103 

140 

28 

978 

1006 

619% 
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Table 35 shows how the use of phase 1 and 2 algorithms can outperform regular 
decomposition to solve DAD CSP problem instances. In all but three scenarios shown in 
Table 35, the Phase 1 and 2 combined algorithm has fewer decomposition iterations than 
the regular approach. In order to see the effect of the phase 1 speed algorithm, consider 
the comparison between phase 2 iterations and regular iterations. Recall that the phase 2 
optimality algorithm is essentially regular nested decomposition, except that the outputs 
of the phase 1 speed algorithm are used as intelligent inputs to begin the phase 2 
algorithm. One of the most impressive examples is the scenario of defense budget seven, 
attack budget six. In that scenario, 29 iterations of the phase 1 speed algorithm are 
performed to obtain a reasonable, but not provably optimal defense. The real 
improvement can be seen in comparison of phase 2 vs. the regular decomposition. The 
phase 2 algorithm only requires two outer iterations, but the regular approach requires 26 
outer iterations. This effect is further amplified in inner decomposition, since phase 2 
requires 43 inner iterations, but the regular approach requires 678 inner iterations. The 
absolute difference in the number of iterations between the phase 1 and 2 combined 
algorithm is 630 fewer iterations than the regular decomposition! Relatively speaking, the 
phase 1 and 2 combined algorithm requires eight times fewer iterations than the regular 
approach! Table 35 shows almost every other budget scenario has a similar, albeit less 
dramatic improvement in the reduction of the number of iterations needed to obtain the 
optimal solution to a problem instance scenario. The relative difference in iteration 
computation is quite remarkable, especially when one considers that a heuristic approach 
is responsible for the reduction in iterations. 

The results of Table 35 have been plotted in Figure 52 for an easy visual 
comparison of the relative number of iterations perfonned between the combinations of 
the phase 1 speed and phase 2 optimality algorithms vs. regular nested decomposition. 
Figure 52 shows the phase 1 speed and phase 2 optimality algorithms require fewer 
iterations as the defense and attack budgets increase. 
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Phase 1 & 2 vs. Nested Decomposition 
Iterations Performed Comparison 


50 Node Test Network 


*** Phase 1 & 2 



Figure 52. Relative Comparison of Iterations on 50 Node Test Network 

I. APPLICATION OF DAD CSP TO A REAL WORLD NETWORK 
1. Definition of Real World Network 

We apply our DAD CSP solution procedures to a real world network. The real 
world network that we choose is the Maryland (MD), Virginia (VA) and Washington, DC 
(DC) transportation network that was used by Carlyle and Wood (2005). We obtained the 
data from these authors via personal communication. The network has 3,670 nodes and 
9,876 directional arcs. This network includes interstate highways, federal highways and 
state routes, all of which we call roads. City streets and county thoroughfares are not 
included in the network. Nodes in this network represent various points along the roads. 

Each road is represented as two arcs between nodes, which allows for bi-directional 
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travel. We have two data items per arc. First, the distance in miles is given for each arc. 
Second, each arc has a speed limit in miles per hour. We convert speed limit and distance 
into a travel time for each arc by dividing distance by the speed limit. In contrast to our 
previous test networks, this real world network has cycles because roads allow for bi¬ 
directional travel. Figure 53 depicts the MD-VA-DC road network, with orange dots 
representing the nodes and blue lines representing the arcs. We choose a start node at the 
Pentagon and a termination node in Appomattox, VA, which are depicted with red stars. 


MD-VA-DC Road Network 


39°N 


38°N 


37°N 


84 °W 83°W 82°W 81°W 80°W 79°W 78°W 77°W 76°W 75°W 



Figure 53. MD-VA-DC Road Network. Adapted from Carlyle and Wood (2005). 

The start point of the problem instance is the highway adjacent to the Pentagon in 
Arlington, VA, and the termination point is a highway intersection in Appomattox, VA. 
Since many nodes and arcs are in the vicinity of Washington, DC, it is difficult to see the 
proximity of the starting node location. Figure 54 is a zoomed in view of the road 
network map for the Washington, DC, area. The start node can be seen in Figure 54 as a 
red star that is slightly southwest of the city center. 
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Road Network DC Area Zoom-In 


39°N 


77°W 

Figure 54. Road Network DC area. Adapted from Carlyle and Wood (2005). 

The choice of start and termination nodes for our DAD CSP problem instance on 

a real-world network must be done with care. We define a well-posed DAD CSP problem 

instance to have a shortest distance path that is significantly different than the shortest 

time path. Similarly, we define an ill-posed DAD CSP problem instance to have a 

shortest distance path and a shortest time path that share most of the same arc segments. 

We observe that when attempting to constrain time when minimizing distance is the 

objective, it is possible to have an infeasible problem instance if the shortest time path is 

eliminated by enforcing a time budget. In the worst case, when the shortest distance path 

is also the quickest path, introducing a time budget of less than the quickest path may 

eliminate all potential paths from consideration. In less extreme situations of poorly 

chosen start and termination pairs, selecting a time budget to constrain the problem 

instance could result in a very small number of feasible paths, or paths with many 
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common arcs. Poorly chosen start and termination nodes could make the optimization of 
defenses and attacks in a DAD CSP problem instance uninteresting. 

Our choice of route optimization from the Pentagon to Appomattox, VA is an 
example of a well-posed DAD CSP problem instance because the shortest distance path 
and the shortest time path do not have many common route segments. Our network data 
shows the shortest distance path is 170.58 miles long, which takes 3.65 hours. Figure 55 
shows the shortest distance path with a solid pink line. The shortest time path is 3.332 
hours, which takes 191.93 miles. The shortest time path is shown with a dashed brown 
line. The shortest distance and shortest time path route information is summarized in 
Table 36. We also include a Google Maps (2016) view of the area to orient our network 
maps with the real world in Figure 56. Note that the distances and times in our network 
data are different than those determined by Google Maps. 

Pentagon to 


38°N 


37°N 

79°W 78°W 77°W 

Figure 55. Shortest Distance and Time Paths from the Pentagon to Appomattox 
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Table 36. Shortest Distance and Time Paths from the Pentagon to Appomattox 


Pentagon to 
Appomattox Path 

Distance 

(miles) 

Time 

(hours) 

Description of Roads on Path 

Shortest Distance 

170.58 

3.65 

Washington Parkway to 1-66 to US-15 
to US-29 to VA-605 

Shortest Time 

191.93 

3.332 

1-395 to 1-95 to VA-76/288 to US-360 
to VA-307 to US-460 



i 1 / \ 

w pThe Pentagon 




Fredencktburg 


St anardsvrik, 


King George 


Port Royal 


pap yr i 


King William 




f Appomattox, 


Charles City 


Figure 56. Map from the Pentagon to Appomattox. Source: Google Maps (2016). 
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2. DAD CSP Example Scenario on Real-World Network 

An example DAD CSP problem scenario is to minimize the distance traveled 
from the Pentagon to Appomattox, VA, within a time budget of 3.6 hours, a defense 
budget of seven units and an attack budget of one unit. Notice that the time budget of 3.6 
hours eliminates the unconstrained shortest path of 170.58 miles in 3.65 hours. A penalty 
(q) of 25 miles exists for traversing an attacked arc in the shortest path. 

The results of the example scenario are shown in Figure 57. Our phase 1 speed 
heuristic gives an initial shortest distance path result of 180.99 miles. Recall the phase 1 
result is not guaranteed to be optimal. The phase 1 algorithm gives a heuristic defense 
that also turns out to be the optimal defense in the phase 2 optimality algorithm. The 
white line segments represent defended arcs. The red line segment represents the one 
attacked arc, since the attack budget was only one unit. The phase 2 optimality algorithm 
is able to find the optimal solution for this particular instance, and it gives a result of 
180.6 miles. The green line represents the shortest distance path. The blue line segments 
represent other arcs in the network, and the orange dots represent other network nodes. 
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Figure 57. Example Problem for Optimal Defense and Attack of Road Network 


Interpretation of the results of the example DAD problem instance can be inferred 
from Figure 57. The phase 1 speed algorithm identified a shortest distance path of 180.99 
miles within the time budget of 3.60 hours. The defender chose to defend as much of the 
constrained shortest path as possible with the defense budget of seven units. By looking 
at the white line segments of defended arcs on Figure 57, one can visualize how that 
segment of the route would extend to form a 180.99 mile path. Next, the attacker desired 
to maximize the length of that constrained shortest path by attacking an arc segment that 
exists on that path. The attack action can be seen with the red line segment that is 
adjacent to the defended white line segments. Finally, the operator has to choose the 
constrained shortest path after the defenses and attacks occurred. Since a penalty (q) of 
25 miles would be incurred for traveling on the shortest path found in the Phase 1 
problem, the operator decides to choose the next shortest path in the network. 
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3. Algorithm Performance Comparison on Real-World Network 

We test the scalability of both regular nested decomposition of DAD CSP as well 
as our phase 1 and phase 2 algorithms to large networks. We compare the perfonnance 
capability with regular nested decomposition to gauge the effectiveness of our algorithm 
on a large network. We find that regular nested decomposition gets bogged down on the 
large size of the network when trying to resolve the final percentage points of an 
optimality gap. The phase 2 optimality algorithm struggles to converge on the optimal 
solution for problem scenarios when the attack budget is greater than one unit. 

a. Optimality Tolerances Required for Large Test Network 

The large size of the real world network forces us to accept the fact that a perfect 
optimal solution cannot be achieved in a reasonable amount of time when the defense and 
attack budgets are greater than two units. We observe that the majority of the time used 
by the IBM CPLEX solver is spent when the relative optimality gap between the best 
known solution and optimal solution is roughly 10% or less. In order to obtain a final 
solution to most problem instances in a reasonable amount of time, we accept that our 
solutions will not completely converge on the optimal objective function value. 
Termination prior to convergence on the optimal solution means that our approaches to 
solving DAD CSP for large-scale networks are approximation algorithms. 

We set a relative optimality tolerance (RELTOL) for each of our mathematical 
models that are solved in nested decomposition according to some decision rules. Both 
the inner and outer decomposition loops have optimality tolerances that depend upon the 
solution quality of the models that are solved within them. We must choose all of the 
RELTOL values for each model with care. Failure to do so could result in a situation 
where a large RELTOL in one model makes it highly unlikely to ever satisfy a small 
RELTOL in its controlling decomposition loop. We set RELTOL values for each of the 
models of the DAD CSP real-world decomposition according to the following rules: 


Relative optimality Tolerance (RELTOL) Equations: 

Overall DAD CSP RELTOL = Outer Decomposition RELTOL (4.7a) 
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Inner Decomposition RELTOL < Outer Decomposition RELTOL (4.7b) 

Lagrange Variable dual ILP RELTOL + DAD Outer Master Lagrangian 

Relaxation RELTOL < Overall DAD CSP RELTOL (4.7c) 

AD subproblem RELTOL + AD Master RELTOL < 

AD Inner Decomposition RELTOL (4.7d) 

Inner Decomposition RELTOL + DAD Outer Master RELTOL < 

Outer Decomposition RELTOL (4.7e) 

AD Subproblem with SEC RELTOL < AD Inner Decomposition RELTOL (4.7f) 

AD Master with SEC RELTOL < DAD Outer Decomposition RELTOL (4.7g) 

Lagrange Variable dual ILP RELTOL = DAD Outer Master 

Lagrangian Relaxation RELTOL (4.7h) 

AD Inner Subproblem RELTOL = AD Inner Master RELTOL (4.7i) 

AD Inner Decomposition RELTOL = DAD Outer Master RELTOL (4.7j) 


The overall RELTOL of a DAD CSP problem instance is limited by the value we 

set for the outer decomposition RELTOL, as shown in Equation (4.7a). Equation (4.7b) 

ensures that the inner decomposition RELTOL must be at least as strict as the outer 

decomposition. Otherwise, the outer decomposition may fail to converge. Equation (4.7c) 

describes the RELTOL requirements for the Phase 1 speed algorithm heuristic solution. 

We use the Lagrange variable dual ILP problem along the DAD master with Lagrangian 

Relaxation as a heuristic guess of the final problem solution, so the sum of their RELTOL 

should be at least as strict as our outer decomposition RELTOL. We observe that the 

tighter the value of RELTOL for the Lagrange Variable dual ILP problem may lead to 

better heuristic values that are closer to the optimal solution. Equation (4.7d) describes 

the RELTOL requirements of the inner decomposition. The inner decomposition consists 

of the AD inner sub problem and AD inner master problem. Both of these mathematical 

models must have RELTOL values that are smaller than the RELTOL for the inner 

decomposition, otherwise the inner decomposition itself may not converge. Equation 

(4.7e) describes the RELTOL requirements for the outer decomposition. The outer 

decomposition is comprised of the solution to the inner decomposition and the DAD 
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outer master problem. The outer decomposition RELTOL must be greater than the sum of 
the RELTOL from the inner decomposition and the DAD master problem, otherwise the 
outer decomposition may not converge. Equations (4.7f) and (4.7g) govern the RELTOL 
for activation of the SEC to prevent repeated paths or attacks, respectively. The bounds 
created by the problems with SEC are not valid for convergence of the original problem, 
so the RELTOL for these models can be less strict. We choose the RELTOL for the SEC 
models to be at least as strict as the decomposition RELTOL which activated the 
respective SEC in Equations (4.7f) and (4.7g), but this choice is arbitrary. Equation (4.7h) 
ensures both the sub problem and master problem of the Phase 1 speed heuristic both 
have the same RELTOL. Equations (4.7i) and (4.7j) ensure that the sub problem and 
master problem of both the inner and outer decompositions have the same RELTOL. 

For our computation of DAD CSP problem instances on the real-world network, 
we set the RELTOL values as shown in Table 37. Since the largest RELTOL for any part 
of the DAD CSP problem is the outer decomposition RELTOL of 10%, the overall DAD 
CSP problem instance RELTOL is 10%. We note that relative tolerances are not strictly 
additive. Actual RELTOL limits are slightly larger than the values we choose. All test 
scenarios do not reveal any convergence issues with the RELTOL values shown in Table 
37. From the example problem instance that was solved in the previous section, the 
optimal path took 180.6 miles and a 10% RELTOL equates to roughly 18 miles of travel. 


Table 37. Relative Optimality Tolerances for DAD CSP 


Algorithms 

DAD CSP Problem Stage 

RELTOL 

value 

All 

Overall DAD CSP Problem Instance 

10% 

All 

DAD Outer Decomposition 

10% 

Phase 1 “speed” 

Lagrange Variable Dual ILP Problem 

5 % 

Phase 1 “speed” 

DAD Outer Master with Lagrangian Relaxation 

5 % 

Regular & Phase 2 

DAD Outer Master Problem 

5 % 

Regular & Phase 2 

AD Inner Decomposition 

5 % 

Regular & Phase 2 

AD Master Problem 

2.5 % 

Regular & Phase 2 

AD Subproblem 

2.5 % 

Regular & Phase 2 

AD Master Problem with SEC 

10% 

Regular & Phase 2 

AD Subproblem with SEC 

5 % 
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b. Performance Comparison 

In order to make our combined algorithm as fast as possible, we must choose the 
number of phase 1 attacks to send to the phase 2 outer master problem. Since this real 
world network is very large, it is possible that sending too many attack cuts from phase 1 
to phase 2 may bog down the outer master problem. We initially observe that using all 
available attacks from phase 1 as input cuts to phase 2 results in slower solution times for 
many budget scenarios. Instead, we choose to send only the two most recent phase 1 
attacks to the phase 2 outer master problem. This choice allows us to take advantage of 
some of the feasible attacks in the phase 1 algorithm, and disregard the less helpful 
attacks that were generated in phase 1. We limit the number of attack cuts sent to phase 2 
in order to help limit the amount of iteration dependent path variables (Y) in the outer 
master problem. The tables in this section reflect the use of two attack cuts shared 
between the phase 1 and phase 2 algorithms. Additionally, the best defense (W*) and its 
associated attack are shared from phase 1 to start the decomposition in phase 2. 

Table 38 shows the relative optimality gap comparison of the Phase 1 speed and 
phase 2 optimality algorithms compared to regular nested decomposition. We guarantee 
that the bounds achieved by our approach will be within 10% of optimality before we 
begin computation because of the RELTOL settings in the previous section. We shade the 
relative optimality gap green when the relative tolerance is less than 5% for a problem 
instance, and shade yellow when the optimality gap is between 5 to 10 %. 
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Table 38. Real World Network Solution Values and Relative Optimality Gap 


Defense 

Budget 

Attack 

Budget 

Phase 1 
Speed 
Bound 

Phase 2 
Upper 
Bound 

Phase 2 
Lower 
Bound 

Phase 2 
Optimality 
Gap (%) 

Regular 

Upper 

Bound 

Regular 

Lower 

Bound 

Regular 
Optimality 
Gap (%) 

1 

1 

182.38 

184.64 

182.38 

1.24% 

184.64 

171.18 

7.863% 

1 

2 

187.37 

196.80 

187.37 

5.03% 

197.14 

181.06 

8.881% 

1 

3 

196.18 

199.71 

196.18 

1.80% 

199.71 

185.43 

7.701% 

1 

4 

205.99 

212.64 

206.38 

3.03% 

210.75 

203.29 

3.670% 

1 

5 

212.49 

220.69 

212.49 

3.86% 

219.78 

205.46 

6.970% 

2 

1 

182.38 

184.64 

182.38 

1.24% 

184.64 

171.18 

7.863% 

2 

2 

187.37 

196.80 

187.37 

5.03% 

196.80 

180.24 

9.188% 

2 

3 

194.49 

199.71 

194.49 

2.68% 

199.71 

184.36 

8.326% 

2 

4 

204.66 

210.60 

204.66 

2.90% 

209.64 

199.17 

5.257% 

2 

5 

209.37 

217.07 

209.37 

3.68% 

217.86 

203.64 

6.983% 

3 

1 

182.38 

184.64 

182.38 

1.24% 

184.64 

171.18 

7.863% 

3 

2 

187.49 

196.80 

187.49 

4.97% 

196.80 

179.94 

9.370% 

3 

3 

194.51 

199.71 

194.51 

2.67% 

199.71 

182.95 

9.161% 

3 

4 

200.50 

209.64 

200.50 

4.56% 

209.64 

199.17 

5.257% 

3 

5 

208.26 

217.50 

208.26 

4.44% 

217.15 

199.07 

9.082% 

4 

1 

180.99 

184.64 

180.99 

2.02% 

184.64 

171.18 

7.863% 

4 

2 

186.01 

197.14 

186.01 

5.98% 

196.80 

181.67 

8.328% 

4 

3 

193.86 

199.71 

193.86 

3.02% 

199.71 

184.60 

8.185% 

4 

4 

200.50 

209.64 

200.50 

4.56% 

209.64 

191.13 

9.685% 

4 

5 

209.33 

217.88 

209.33 

4.08% 

218.28 

198.49 

9.970% 

5 

1 

180.99 

184.64 

180.99 

2.02% 

184.64 

171.18 

7.863% 

5 

2 

186.01 

197.14 

186.01 

5.98% 

196.80 

179.96 

9.358% 
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5 

3 

193.86 

199.71 

193.86 

3.02% 

199.71 

182.32 

9.538% 

5 

4 

199.07 

209.64 

199.07 

5.31% 

209.64 

191.13 

9.685% 

5 

5 

208.07 

218.58 

208.07 

5.05% 

*** 

*** 

*** 

*** Indicates problem failed to converge after 86,400 seconds (24 hours) 
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We observe an interesting effect from the phase 1 speed heuristic. The heuristic is 
able to find a valid lower bound that is always closer to optimal than the lower bound that 
is obtained from regular nested decomposition. The regular nested decomposition hardly 
ever generates an optimality gap less than 5% because it is not required to do so. Instead, 
the phase 1 heuristic generates only a lower bound, and sends it as an input to the phase 2 
optimality algorithm, which has a 10% relative optimality tolerance requirement. Table 
38 shows that the phase 1 and phase 2 approach always finds a bounds that are tighter 
than the regular nested decomposition approach. But, the phase 1 speed algorithm almost 
always generates a bound that can be proven to be within 5% of the optimal value, even 
though the requirement is a maximum 10% optimality gap. The phase 1 bound is almost 
always the lower bound in the phase 2 optimality algorithm. 

Table 39 compares the time required to obtain a solution within the RELTOL 
parameters for the combination of the phase 1 speed and phase 2 optimality algorithms 
against regular nested decomposition. The computation of relative change percentage 
between the solution times for the two different solution approaches is the same as 
Equation (4.6b). 
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Table 39. Solution Time Performance Comparison on Real World Network 


Defense 

Budget 

Attack 

Budget 

Phase 1 
Solution 
(Seconds) 

Phase 2 
Solution 
(Seconds) 

Phase 1+2 
Solution 
(Seconds) 

Regular 

Solution 

(Seconds) 

Phase 1+2 
Relative 
Change (%) 

1 

1 

39.9 

42.5 

82.4 

16.8 

-80% 

1 

2 

22.7 

46.2 

68.9 

55.7 

-19% 

1 

3 

23.5 

59.6 

83.0 

100.7 

21% 

1 

4 

42.1 

87.6 

129.7 

468.3 

261% 

1 

5 

45.4 

108.9 

154.3 

284.1 

84% 

2 

1 

67.8 

33.4 

101.1 

17.9 

-82% 

2 

2 

83.8 

51.7 

135.5 

187.8 

39% 

2 

3 

47.9 

56.5 

104.4 

174.2 

67% 

2 

4 

125.4 

95.3 

220.8 

1,516.3 

587% 

2 

5 

116.1 

94.2 

210.2 

2,457.6 

1069% 

3 

1 

74.8 

30.5 

105.2 

18.1 

-83% 

3 

2 

179.5 

36.8 

216.3 

463.8 

114% 

3 

3 

131.1 

67.2 

198.3 

246.4 

24% 

3 

4 

279.8 

86.6 

366.4 

24,857.9 

6684% 

3 

5 

1,008.0 

84.3 

1,092.3 

8,748.8 

701% 

4 

1 

108.2 

32.1 

140.4 

18.2 

-87% 

4 

2 

135.0 

47.6 

182.6 

1,019.0 

458% 

4 

3 

452.1 

61.3 

513.5 

613.7 

20% 

4 

4 

1,735.7 

98.2 

1,833.8 

15,771.7 

760% 

4 

5 

15,893.5 

379.3 

16,272.8 

64,267.3 

295% 

5 

1 

172.2 

46.2 

218.3 

15.5 

-93% 

5 

2 

300.7 

48.0 

348.6 

502.9 

44% 

5 

3 

802.4 

68.0 

870.3 

1,593.2 

83% 

5 

4 

14,890.1 

104.3 

14,994.4 

30,020.9 

100% 

5 

5 

19,333.9 

128.9 

19,462.9 


*** 


*** Indicates problem failed to converge after 86,400 seconds (24 hours) 


Table 39 reveals that the phase 1 speed and phase 2 optimality algorithm is 
quicker than regular nested decomposition in 19 of the 25 of the budget scenarios. 
Specifically, the phase 1 and 2 algorithms are always faster than regular nested 
decomposition whenever the attack budget is larger than two units. The amount of 
relative change between the two algorithms is dramatic. We observe whenever there is an 
improvement in solution time, our phase 1 and 2 algorithm is at least 20% faster, and is 
often much more than 100% faster than nested decomposition. The greatest example is 
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the scenario of defense budget of three units and attack budget four units, where our 
phase 1 and 2 algorithm is more than 60 times faster than regular nested decomposition. 

Table 39 shows that regular nested decomposition is the faster approach whenever 
the attack budget is one unit. The slower performance with an attack budget of one unit 
may be attributed to two notions. First, the phase 1 algorithm requires at least two 
iterations in order to reach its stopping criterion of obtaining a repeated defense (W). So, 
the phase 1 algorithm must always spend the time to do at least two algorithms. In the 
case of 1 attack, this may be repetitive. Secondly, the branch and bound search for regular 
nested decomposition appears to be very simple, since it only takes about 15 to 18 
seconds. Using notions about branch and bound of defenses that we developed in Chapter 
II, we believe that the outer decomposition need only defend against the best number of 
attacks that is equal to the defense budget. Further consideration of other attacks would 
not be necessary. Also, consider that regular nested decomposition starts the outer 
decomposition assuming no defenses as opposed to the phase 2 algorithm which starts 
with a heuristic defense from phase 1. In the simple case of only one attack, this usually 
smart starting defense may end up taking more time to pivot to a solution within 
tolerances than starting from the position of no defenses. We did not observe this 
behavior with the medium sized grid test network, but the test on the large network 
exposes this shortcoming of the phase 1 and 2 combined algorithm. 

We notice a common theme for the performance of the phase 1 and 2 combined 
algorithm in Tables 38 and 39. For each budget scenario in Table 39, the bulk of the 
computing time is spent in the phase 1 speed heuristic in order to obtain a good estimate 
of a defense for the network. Then, a short amount of computing time is needed by the 
phase 2 optimality algorithm to prove that the defense found by phase 1 speed heuristic is 
within optimality tolerances. The amount of time to prove optimality in the phase 2 
algorithm is usually one to two minutes, with one instance requiring roughly six minutes. 
We can tell that the defense and attack combination found by the phase 1 heuristic is 
usually optimal by looking at Table 38. The phase 1 bound is almost always the same as 
the lower bound found by phase 2 algorithm. The same value for the phase 1 bound and 
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the phase 2 lower bound means that the heuristic defense and attack found in phase 1 was 
proven to be the optimal defense and attack by the phase 2 algorithm. 

We summarize the results of Table 39 graphically in Figure 58. We represent the 
relative change percentage for the scenario of defense and attack budgets of five units 
each as greater than 10,000%, since the regular nested decomposition problem failed to 
converge within acceptable tolerances after 24 hours of computation time. Figure 58 
shows that our combined phase 1 and 2 approach is almost always significantly faster 
than regular nested decomposition of DAD CSP on the real-world network. 


Solution Time Relative Performance 
MD-VA-DC Road Network 



Figure 58. Solution Time Relative Performance for Road Network 
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There are two significant drawbacks in using solution time to measure the 
performance between the phase 1 and 2 algorithm vs. regular nested decomposition. The 
first shortcoming is the need to use the measurement of computer wall clock time as 
discussed in the previous section. Second, the implementation of our algorithm between 
the python programming language with interaction with the GAMS programming 
language may also result in some inefficiencies. The GAMS programming language has 
some inherent limitations such as the inability to call subroutines and dynamically create 
variable assignments. Because of these restrictions, we chose to implement the phase 1 
and 2 algorithms within Python and use a call GAMS to perform all mathematical 
optimization. Each time our algorithm needs to solve an optimization problem, the 
python script of our algorithm must perform a variety of tasks in order to get an answer. 
For each call to solve an optimization problem, our script needs to write data files for use 
in GAMS, pause python execution, begin an instance of GAMS, read in data files created 
by Python, solve the model in GAMS, write data files for Python interpretation, exit the 
GAMS instance, resume the python script and read in the GAMS data files. This 
extensive use of file input/output by the computer was not noticeable when the models 
were the smaller test networks. But, in the large size real-world network, the sum of all of 
the small delays of switching between programs may be significant. 

Because of the two shortcomings associated with measuring time in obtaining a 
solution, we next present an alternative measure of relative performance between the 
phase 1 and 2 algorithms vs. regular nested decomposition. We use the number of 
iterations performed as a proxy for the amount of effort required to obtain a solution 
within our specified tolerances for DAD CSP on the large-scale network. Table 12 
presents the comparison of iterations performed between the phase 1 and 2 algorithm vs. 
regular nested decomposition. The calculation of the relative difference in the number of 
iterations performed is given by Equation (4.6c) in the previous section. We shade the 
relative iteration difference green when the combined phase 1 and 2 algorithm has a 
positive relative difference, and shade red otherwise. 
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Table 40. Comparison of DAD CSP Iterations for Real World Network 


Defense 

Budget 

Attack 

Budget 

Phase 1 
Speed 
Iteration 

Phase 2 
Outer 
Iteration 

Phase 2 
Inner 
Iteration 

Phase 

1+2 

Total 

Iterations 

Regular 

Outer 

Iteration 

Regular 

Inner 

Iteration 

Regular 

Total 

Iterations 

Iteration 

Relative 

Difference 

1 

1 

3 

1 

5 

9 

1 

5 

6 

-33% 

1 

2 

2 

1 

6 

9 

2 

12 

14 

56% 

1 

3 

2 

1 

11 

14 

2 

24 

26 

86% 

1 

4 

3 

1 

16 

20 

3 

53 

56 

180% 

1 

5 

3 

1 

23 

27 

3 

59 

62 

130% 

2 

1 

4 

1 

5 

10 

1 

5 

6 

-40% 

2 

2 

4 

1 

6 

11 

4 

25 

29 

164% 

2 

3 

3 

1 

11 

15 

3 

37 

40 

167% 

2 

4 

5 

1 

21 

27 

5 

108 

113 

319% 

2 

5 

5 

1 

19 

25 

5 

122 

127 

408% 

3 

1 

4 

1 

5 

10 

1 

5 

6 

-40% 

3 

2 

6 

1 

6 

13 

6 

36 

42 

223% 

3 

3 

5 

1 

11 

17 

3 

37 

40 

135% 

3 

4 

7 

1 

13 

21 

7 

152 

159 

657% 

3 

5 

11 

1 

19 

31 

7 

157 

164 

429% 

4 

1 

5 

1 

5 

11 

1 

5 

6 

-45% 

4 

2 

5 

1 

6 

12 

7 

43 

50 

317% 

4 

3 

8 

1 

7 

16 

4 

50 

54 

238% 

4 

4 

13 

1 

25 

39 

10 

202 

212 

444% 

4 

5 

25 

1 

25 

51 

10 

172 

182 

257% 

5 

1 

6 

1 

5 

12 

1 

5 

6 

-50% 
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Defense 

Budget 

Attack 

Budget 

Phase 1 
Speed 
Iteration 

Phase 2 
Outer 
Iteration 

Phase 2 
Inner 
Iteration 

Phase 

1+2 

Total 

Iterations 

Regular 

Outer 

Iteration 

Regular 

Inner 

Iteration 

Regular 

Total 

Iterations 

Iteration 

Relative 

Difference 

5 

2 

7 

1 

6 

14 

6 

39 

45 

221% 

5 

3 

9 

1 

11 

21 

5 

59 

64 

205% 

5 

4 

25 

1 

17 

43 

12 

277 

289 

572% 

5 

5 

25 

1 

24 

50 

*** 

*** 

*** 

*** 

*** Indicates problem failed to converge after 86,400 seconds (24 hours) 
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The results of Table 40 are straightforward to interpret. Whenever the attack 
budget is greater than one unit, the phase 1 and 2 algorithm requires fewer iterations to 
solve DAD CSP than “regular” nested decomposition. The relative improvement in the 
number of iterations performed can be quite dramatic, with most values greater than a 
100% improvement in the number of iterations performed. This measurement is an 
indication that the phase 1 and 2 algorithm requires less computational effort than regular 
nested decomposition whenever the attack budget scenario is greater than one unit. 
Conversely, we also observe that regular nested decomposition requires less 
computational effort only when the attack budget is one unit. 

Figure 16 summarizes the results of Table 40. Again, we represent the relative 
difference percentage for the scenario of defense and attack budgets of five units each as 
greater than 1,000%, since the regular nested decomposition problem failed to converge 
within acceptable tolerances after 24 hours of computation time. Figure 16 shows that our 
Phase 1 and 2 approach requires significantly fewer iterations than regular nested 
decomposition of DAD CSP on the real world road network whenever the attack budget 
is greater than one unit. 
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Phase 1 & 2 vs. Nested Decomposition 
Iterations Performed Comparison 



Figure 59. Relative Difference of Iterations Performed for Road Network 

4. Lessons Learned from Real-World Network 

We have shown that our approaches to DAD CSP are scalable up to large real 
world problems, albeit with some limitations. Comparison of DAD CSP solution times 
for the large real world network has given us more insight into the performance capability 
of both regular nested decomposition and our combined phase 1 and 2 algorithms. First, 
we learned that large networks take an inordinate amount of time to solve a DAD CSP 
problem instance to perfect optimality. In order to obtain DAD CSP problem instance 
results for a specific budget scenario in less than one day (86,400 seconds) we had to 
change DAD CSP to an approximation algorithm by introducing relative optimality 
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tolerances. We were able to obtain results in less than one day when the overall relative 
optimality tolerance was 10%. We discovered that the combined phase 1 and 2 
algorithms have the potential to reduce the overall approximate solution time for a DAD 
CSP problem scenario, but an improvement in solution time is not guaranteed. We 
observe that our combined phase 1 and 2 algorithms perform the best when the problems 
are more difficult to solve because of large defense and attack budget scenarios. 

J. SUMMARY 

This chapter investigates the DAD CSP problem, which determines the optimal 
defenses, worst-case attacks and the resulting constrained shortest path between start and 
tennination nodes in a network. The DAD CSP problem is NP-hard and has never been 
solved before in academic literature. 

Initially, we showed how to apply regular nested decomposition procedures that 
are found in the literature for other DAD problems to solve DAD CSP. We observe that 
regular solution procedures become very slow on medium sized grid networks when the 
defense and attack budgets increase. We believe the slowdown of regular nested 
decomposition can be attributed to the combinatorial explosion of the number of feasible 
solutions as defense and attack budgets increase. The large number of feasible solutions 
experiences combinatorial growth because of the existence of binary defense, attack, and 
path choice variables for every arc in the network. 

We applied the technique of Lagrangian relaxation to improve the speed of 
obtaining a solution to DAD CSP. We devised a novel Lagrange variable problem to 
perform bi-level Lagrangian relaxation in an innovative way. Instead of determining the 
best value of the Lagrange multiplier (p) iteratively, we treat it as a decision variable to 
be maximized. The Lagrange variable problem can replace inner decomposition in order 
to form the core of what we call a phase 1 speed heuristic to find a reasonably good set of 
defenses and fairly close to optimal objective function value to a DAD CSP problem 
instance with no guarantee of solution quality. When the quickest time to obtain a 
solution to a DAD CSP problem instance is the primary concern, the phase 1 speed 
heuristic is the best choice. 
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Another technique to improve DAD CSP is Lagrangian relaxation combined with 
path enumeration. This approach uses the traditional iterative approach to find the best 
value of a Lagrange multiplier (p). Since iterative attempts at Lagrangian relaxation may 
not converge, we investigated path enumeration to close the convergence gap. We found 
Lagrangian relaxation and path enumeration to be a slower approach at obtaining a 
heuristic solution. We proposed using multi-cuts to reduce the number of inner 
decomposition iterations. These techniques create what we call the phase 1 bounding 
heuristic. Even though it is a slower approach to obtain a heuristic solution, the bounding 
heuristic does improve the performance of solving DAD CSP problem instances. 

It can take hours to find the optimal defense and objective function value for a 
DAD CSP problem instance when the defense and attack budgets are large. In a few 
minutes, our DAD CSP speed heuristic can produce a useful lower bounds on the optimal 
solution and a defense plan that is fairly close to the optimal solution. When the DAD 
CSP problem instance becomes difficult to solve due to a large defense and attack 
budgets, our combined phase 1 speed and phase 2 optimality algorithms have the 
potential to solve the problem optimally in a fraction of the time required by regular 
nested decomposition. We investigated how the choice of the number of attack cuts to 
pass from the phase 1 algorithm to the phase 2 algorithm can affect the speed of obtaining 
optimal or near optimal solutions. 

Our use of a real-world transportation network proves that our solution 
procedures for DAD CSP can effectively scale to large problem sizes. We observe the 
nested decomposition approach requires an inordinate amount of time to converge on the 
optimal solution for large real world networks. We loosened the relative optimality 
tolerance to 10% in order to have reasonable convergence time. We learned that our 
requirements for an exact algorithm had to be changed to an approximation algorithm in 
order to accommodate the sheer size of the large network. We also reduced the number of 
input attacks from the phase 1 algorithm to the phase 2 algorithm in order to speed up the 
time to obtain a provably near optimal solution as much as possible. We are able to 
approximately solve DAD CSP problem instances on the large real-world network for 
scenarios of up to defense and attack budgets of five units using our combined phase 1 
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speed and phase 2 optimality algorithms within a relative optimality tolerance. The 
regular nested decomposition approach performed much slower than our combined phase 
1 and 2 algorithm whenever the attack budget was greater than two units. We observe 
that our combined phase 1 and 2 algorithm can perform much faster than regular nested 
decomposition on our real-world test network whenever the attack budget is greater than 
one unit. In the best case, our combined phase 1 and 2 algorithm is more than 60 times 
faster than regular nested decomposition. But, we also discovered that phase 1 and 2 
algorithms took more time than nested decomposition when the attack budget is only one 
unit. We observe that the majority of computational time and effort in our combined 
algorithm is required by the phase 1 speed heuristic and only a small amount of time is 
needed by the phase 2 optimality algorithm to confirm that the defense found is optimal 
or near optimal. 
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V. CONCLUSIONS AND FUTURE WORK 


A. SUMMARY OF FINDINGS 

Our dissertation examines the defender-attacker-defender (DAD) tri-level 
optimization model. We supply historical context to the problem of analysis of defenses 
and attacks to systems in an optimization model. We explain how existing literature 
solves a tri-level DAD model through the implementation of nested decomposition 
procedures for the DAD minimum cost flow model. We seek to expand knowledge of 
efficient solution procedures for the tri-level DAD optimization model through exploring 
many interesting areas of the problem and creating new algorithms to improve the ability 
to solve problem instances. Our research investigated implicit enumeration (IE) and 
nested defenses for the DAD minimum cost flow problem, and also presented heuristic 
and optimal solution procedures for the DAD constrained shortest path (CSP) problem. 

We show how to apply known IE procedures to the DAD minimum cost flow 
problem. We expand upon current literature for the building of an enumeration tree for 
the DAD model by determining how to include additions to networks as potential 
defenses. IE is an efficient way to find either all multiple equivalent optimal solutions or 
all solutions within a fixed percentage of the optimal solution. IE allows us to transform a 
complicated tri-level DAD model it into a sequence of abridged bi-level AD models. 

Our IE algorithm for the DAD problem instance initially restricts the defense 
budget to zero units and solves a bi-level AD model to observe worst-case attacks. From 
the root node, an enumeration tree is generated by systematically relaxing this initial 
restriction. The relaxation occurs as an arrangement of defenses against to the worst-case 
attack by an incremental increase of the defense budget. Branches of the tree are fonned 
by each defense against the worst-case attack that improves network performance. 
Defenses can either be hardening existing edges to prevent an attack, or adding a new 
edge to the network that would improve flow. Nodes at the end of branches are new 
instances of bi-level AD problems with fixed defenses that are represented by the 
branches of the tree from the root to that node. Our IE algorithm ignores defenses that 
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cannot improve the system based on this attack. Ignoring defenses that do not improve 
the system in light of the worst-case attack function is a pruning rule to keep the size of 
the enumeration tree as small as possible. We develop theory behind our pruning rule for 
adding new edges as defenses in detail. The process of solving fixed defense bi-level AD 
models, observing worst-case attacks and defending against them by incrementally 
increasing the defense budget repeats at each new tree node and continues until the 
defense budget is exhausted. An enumeration tree is created that contains all optimal and 
near optimal solutions to the original DAD minimum cost flow problem instance. 

Our IE algorithm for the DAD problem can provide unique benefits for a decision 
maker. Equivalent optimal solutions are a useful resource for a decision maker that must 
consider factors that are beyond the scope of mathematical modeling when considering 
the best defense choices to make for an existing network. It is possible that a decision 
maker may not be indifferent between two or more mathematically equivalent solutions 
when other real-world considerations are taken into account. It is also possible that a near 
optimal solution that is found efficiently with IE could be attractive to a decision maker 
because of the tradeoff between optimality and other factors which cannot be modeled 
mathematically. Secondly, IE can also provide an alternative method to solve a DAD 
problem instance when a nested decomposition approach may be impractical or 
intractable. IE provides the ability to reduce the complexity of a tri-level optimization 
problem to a series of simpler bi-level optimization problems. In the case of a difficult tri¬ 
level DAD problem, IE offers the analyst an alternative solution algorithm. 

Our research into nested defenses for the DAD minimum cost flow problem 
quantifies the additional cost incurred by requiring a prioritized list of defenses over a 
series of budget scenarios. Nested defenses are a monotonic sequence of sets where each 
set of defenses for a particular budget scenario contains the set of defenses for the smaller 
scenario. This type of circumstance can occur when defense budgets, attack budgets, or 
both are unknown when decisions about system defenses must be made. We show how to 
implement nesting constraints to the DAD minimum cost flow model. Our research 
shows how the collection of objective function values corresponding to a set of nested 
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defenses are almost always worse than the set of optimal objective function values for a 
range of DAD problem instances when budget scenarios are parameterized. 

Our research into nested defenses on the DAD minimum cost flow problem gives 
both heuristic approaches and a parametric programming approach to find a set of nested 
defenses for a range of budget scenarios. Our heuristic approaches involve finding an 
optimal solution to a DAD problem instance for one budget scenario and using that result 
as a starting point to construct defenses for other budget scenarios. Heuristic starting points 
for nested defenses are investigated for minimum, midrange, and maximum budgets. We 
apply vector and matrix norms as well as other decision analysis tools to provide an 
indication of how to compare the perfonnance of different nesting strategies against each 
other and against the set of optimal solutions. But, there is no guarantee that the heuristic 
approach will produce a set of nested defenses that are as close as possible to the set of 
optimal solutions for a range of budget scenarios. We show that it is possible to have a set 
of nested defenses that are suboptimal for every budget scenario, and that set can be closer 
to the set of optimal non-nested solutions than all of our other heuristic nesting strategies. 
We then reformulate the problem to find the closest possible set of nested defenses to the 
set of optimal non-nested solutions in terms of a vector nonn. We consider a parametric 
programming approach to determine the best set of nested defenses to a DAD minimum 
cost flow instance. We show that parametric programming finds the closest possible nested 
defense to the set of optimal non-nested defenses based on a vector norm measurement for 
a sequence of uncertain defense and attack budget scenarios. 

Our research into the DAD Constrained Shortest Path (CSP) problem shows how 
tri-level optimization modeling can expand from network flow models into binary 
programming. In this model, arc or edge additions are not allowed. The addition of the 
side constraint takes away the network structure of a traditional shortest path problem, 
and we explain how that change means the DAD CSP model is not a network flow 
problem. We show how to apply traditional nested decomposition to the DAD CSP 
problem and that it is possible to achieve results for some problem instances using this 
approach. However, we demonstrate that nested decomposition procedures gets bogged 
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down in the binary variable branch and bound procedure when the defense and attack 
budgets increase for medium-sized grid networks. 

We introduce Lagrangian relaxation of the side constraint for both the operator 
and defender models of DAD CSP in order to regain the network structure of the 
problem. We investigate two different ways to incorporate the Lagrangian relaxation of 
the side constraint into heuristic procedures to obtain a solution to DAD CSP instances. 
First, we take advantage of the idea that Lagrangian relaxation seeks the greatest lower 
bound on the original problem. We observe that the Lagrangian goal of maximizing a 
lower bound is similar to the attacker problem goal of maximizing a shortest path. We 
combine these ideas into a Lagrange variable problem where we treat the Lagrange 
multiplier as a decision variable to be maximized. We show how regaining the network 
structure allows us to form a dual ILP version of the operator model under these 
circumstances. The Dual-ILP Lagrange variable problem then supplants decomposition 
of the inner AD model in order to find a heuristic defense. This approach is featured in 
what we call the phase 1 speed heuristic algorithm. An advantage of treating the 
Lagrange multiplier as a decision variable is that it is a very fast way to obtain a heuristic 
solution. A disadvantage is that it can only produce a lower bound on the optimal solution 
to an instance. A second method uses Lagrangian relaxation of the operator model 
follows a more traditional iterative approach to obtain the value of the Lagrange 
multiplier. In the iterative approach, the upper and lower bounds of the Lagrangian 
relaxation may not converge, which requires an additional step to find the constrained 
shortest path of the operator model. We use the technique of path enumeration to close 
the gap between Lagrangian bounds that do not converge. The second approach is called 
the phase 1 bounding heuristic algorithm. The advantage of the iterative approach is that 
it can produce valid upper and lower bounds on a DAD CSP instance. A disadvantage is 
that it is slower than the speed algorithm. 

Our two algorithms to obtain heuristic solutions to DAD CSP problem instances 
can also be incorporated into larger algorithms to obtain optimal or near optimal solutions 
more quickly than regular nested decomposition. We can use infonnation obtained in the 
heuristic algorithms as intelligent starting information to begin regular nested 
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decomposition. The use of smart starting points for nested decomposition serves to 
dramatically decrease both the time required to obtain a solution and the number of total 
iterations required within the decomposition procedures. Our most dramatic 
improvements occur when we combine our phase 1 speed algorithm with nested 
decomposition in what we call the phase 2 optimality algorithm. We show how our 
combined algorithm is usually more than 100 percent faster than regular nested 
decomposition in obtaining an optimal solution to DAD CSP instances on a medium¬ 
sized grid test network. However, our combined algorithm was found to be marginally 
slower than nested decomposition in 5 of 49 budget scenarios on the grid network. 

We show that our procedures for solving DAD CSP problem instances can be 
scaled to large real-world problems. We perform an analysis of defending and attacking 
the shortest distance road paths from the Pentagon to Appomattox, VA subject to a time 
budget constraint. We show that DAD CSP instances in real-world networks can be very 
difficult to solve optimally in a reasonable amount of time when attack budgets are 
greater than one unit. In order to obtain solutions to DAD CSP instances in under 24 
hours for our sample problem, we introduce relative tolerances which change our 
procedures to approximation algorithms. We are able to obtain solutions to DAD CSP on 
the road network for instances of defense and attack budgets of five units that are 
guaranteed to be within 10% of optimality in less than 24 hours. Our combined algorithm 
was faster than regular nested decomposition in 19 of 25 budget scenarios. We show our 
combined algorithm can obtain a provably near optimal solution from 20% to 6,000% 
faster than regular nested decomposition on the real world network. 

B. FUTURE RESEARCH TOPICS 

We believe that many advances can be made for defense and attack of systems by 
a more robust study of tri-level models that explicitly consider action of the defender, 
attacker and operation of a system. There are many unexplored avenues for research with 
the DAD tri-level optimization model. 
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1. Implicit Enumeration for DAD Constrained Shortest Paths 

One future research area is developing an alternative solution method for DAD 
CSP. We showed how Lagrangian relaxation can be used to solve DAD CSP instances 
more quickly than regular nested decomposition. However, we believe the IE algorithm 
could be applied to DAD CSP as another way to solve the problem. Future research can 
adapt an IE algorithm for the DAD CSP problem as an alternative solution methodology 
to our Lagrangian relaxation method. It would be interesting to see how the solution 
performance of IE would fare against regular nested decomposition for DAD CSP 
problem instances. It might be possible that the bi-level transformation that is performed 
in IE can provide some benefit to solving DAD CSP more efficiently. 

2. Implicit Enumeration Application to Larger or Difficult Problems 

Another future research area for the IE algorithm involves scalability limitations of 
IE to DAD models. We show in Chapter II that IE solutions to the DAD minimum cost 
flow problem can be slower than regular nested decomposition. We know that solutions to 
DAD problem instances can become very time consuming when either the defense budget, 
attack budget or network size become very large. We believe that there may be a tipping 
point where the analyst can have a preference between the IE and nested decomposition 
approaches. Is there a problem size limit when solving a DAD instance with IE is 
impractical? What is the limiting factor in scalability of the IE algorithm, is it network size, 
attack and/or defense budget size, cardinality of the set of network design elements, or 
something else? 

We also know that IE can provide an alternative method to nested decomposition 
for solving a DAD model. DAD models may exist that are very difficult to solve with a 
nested decomposition approach. What are the features of a DAD model that make the 
nested decomposition method perform poorly? Does an IE approach provide a solution 
for DAD models when nested decomposition does not? 


222 



3. 


Attack Effects on Side Constraints 


A future research area for the DAD CSP problem is attacker influences on in the 
side constraint. In our exploration of the DAD CSP problem, the attacker is only 
pennitted to change the cost of an arc. This type of attack affects optimality and does not 
affect the feasible region. Instead, suppose the attacker could attack the side constraint of 
time. For example, suppose an attacker could damage an arc so that it takes twice as 
much time to travel across it. This type attack profoundly changes the nature of the 
problem because the attacker would be able to make some previously feasible paths 
infeasible. Our current model does not allow for this possibility because our type of 
attack can only make paths more expensive in terms of distance cost. How does this new 
kind of attack behavior affect the problem? We believe the changes needed to the 
problem would be significant. Current nested decomposition methods build both the inner 
and outer master problem by creating optimality cuts of the feasible region. But, this new 
type of attack would also introduce the need for additional feasibility cuts that ensure 
paths containing attacked arcs remain within the feasible region. 

4. Determination of Lagrange Multiplier for Outer Decomposition 

Another future research area for the DAD CSP problem involves the setting of the 
Lagrange multiplier in the outer decomposition. In our research, we fix the value of the 
Lagrange multiplier on the outer decomposition to the value that was found from the 
inner decomposition. We believe this approach is an acceptable way to quickly find a 
value for the Lagrange multiplier. Better ways may exist to solve for the value for the 
Lagrange multiplier in the outer decomposition. Future research could try other methods 
to set the value of the Lagrange multiplier in the outer decomposition. 

5. DAD Modeling for Other Kinds of Systems 

Our research into DAD CSP shows that the DAD model can be applied to more 
than just network flow problems. DAD CSP is an integer linear program that is based on a 
network, but it does not have network structure because of the side constraint. The next 
logical step would be to define and formulate tri-level optimization problems that are not 
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based on networks. Other types of systems that are not networks can be defended against 
attacks, and that type of analysis could be adapted to the tri-level DAD optimization model. 
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APPENDIX. ADDITIONAL ALGORITHM PSEUDO-CODE 


A. RECURSIVE PATH ENUMERATION ALGORITHM 

Recursive Path Enumeration Algorithm Pseudo Code: 

Input: Network with nodes and their successors, start_node, end_node, path_cost, 
path time, current_path (empty by default), maximum cost allowed, maximum time 
allowed, attacks to network edges are fixed and the cost of these attacks are 
incorporated. 

Output: The shortest path with the shortest cost and associated time. 

Algorithm: 

Maximum cost = Lagrangian Upper bound, 

Maximum time = time budget. 

Current_path = current_path + start node. 

If length of current_path> 1 node: 

Calculate path time and pathcost with data for arc from previous node to start 
node 
Else: 

Set path time = 0 and path cost=0. 

If start node is the same as end node: 

Return current_path. 

Exit function. 

Initialize an empty list of paths. 

For each currentnode that is a successor to the startnode do: 

If the current node is not in the path: 

If path time < maximum time & path cost < maximum cost: 
Recursive call to obtain new paths changing these inputs: 
Startnode = currentnode. 

Path time = path time + arc time from start node to 
currentnode 

Path cost = path cost + arc cost from start node to 
currentnode 

For each new path do: 

If path time < maximum time & path cost < maximum 
cost: 

Append the new path to the list of paths. 

Sort the list of all time budget feasible paths by their associated costs. 

Exit function. 
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B. AD CSP WITH LAGRANGIAN RELAXATION AND PATH 
ENUMERATION ALGORITHM 

AD CSP with Lagrangian Relaxation & Path Enumeration Algorithm Pseudo-code: 

Inputs: 

Network with nodes, edges, costs, attack budget and time budget 

Maximum iterations for inner AD decomposition (k) & Lagrangian relaxation (L) 

Tolerance for AD inner decomposition (usually tolerance < 1 unit) 

Outputs: 

AD Upper and Lower Bounds, best attack (X*) and multiplier (p*) 

Algorithm: 

While AD Upper Bound - Lower bound > tolerance and iteration < max iterations: 

For |L| iterations: 

Solve DAD CSP Operator Model with Lagrangian Relaxation 
Obtain Lagrangian Upper and Lower bounds 
If Lagrangian bound do not match: 

Perform Recursive Path Enumeration 
Obtain shortest path (Y) and associated cost 
If Lagrangian bounds match: 

Obtain shortest path (Y) and cost 

Check if shortest path (Y) is repeated from a previous iteration 
If path repeated and AD bounds within tolerance: 

Break while and for loops. 

If path repeated and AD bounds not within tolerance: 

Resolve DAD CSP Operator Model with Lagrangian Relaxation 
with SEC on 

Continue to next iteration 
If shortest path cost > current AD lower bound: 

Update AD lower bound with shortest path cost 
Save current attack (X) as best attack X* 

Save current Lagrange multiplier (p) as best multiplier p* 

Solve AD CSP inner master problem 

Obtain attack (X) and associated cost 
If master problem cost < AD upper bound: 

Update AD upper bound 
Increment AD iteration counter 


When the inner decomposition upper and lower bounds match, or the iteration 
limit is reached, then the inner decomposition with Lagrangian relaxation is complete. 
The output of the inner decomposition is the best attack (X*) and best Lagrange 
multiplier (p*). Without matching bounds, the output is the best known attack and 
Lagrange multiplier associated with the final inner decomposition lower bound. 
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